Malware Analysis Report

2024-10-24 16:29

Sample ID 201102-qmzdv5yy92
Target Booking Confirmation591773251.exe
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
Tags
persistence spyware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72

Threat Level: Likely malicious

The file Booking Confirmation591773251.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence spyware

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-02 14:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-02 14:43

Reported

2020-11-02 14:45

Platform

win7v20201028

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1268 set thread context of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1668 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1268 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1436 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1436 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1268 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1864 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1864 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1864 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 960 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1724 wrote to memory of 1928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1236 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1236 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1236 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1236 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1908 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1908 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1908 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1396 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1124 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1124 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1124 wrote to memory of 820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1272 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1272 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1428 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1112 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 936 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1692 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 884 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 884 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 884 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 884 wrote to memory of 1944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1324 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1324 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1732 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1732 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1732 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1784 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1784 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1784 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 684 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 684 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 684 wrote to memory of 1980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1740 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1688 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1688 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1688 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 1132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 912 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 912 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 908 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1676 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1816 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1816 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1816 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1984 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1984 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1984 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 1452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1460 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 864 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 864 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 864 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 108 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 108 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 108 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 108 wrote to memory of 1420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1860 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1860 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1860 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1032 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1032 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1032 wrote to memory of 1628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 940 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1968 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2416 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2504 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2548 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2592 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2636 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2680 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2724 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2812 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2812 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2856 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3032 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1680 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 2136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2124 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2124 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2124 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1604 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1604 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1604 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2244 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2244 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2244 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 268 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2356 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1268 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1268 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2396 wrote to memory of 2432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Users\Admin\AppData\Roaming\system\images.exe

"C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ada.urown.cloud udp
N/A 194.5.97.146:5200 ada.urown.cloud tcp

Files

memory/844-0-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/844-1-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/844-3-0x0000000000220000-0x0000000000237000-memory.dmp

memory/844-4-0x0000000000500000-0x000000000051F000-memory.dmp

memory/1448-6-0x0000000000000000-mapping.dmp

memory/1668-7-0x0000000000000000-mapping.dmp

memory/1268-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 d36537604871b3550a9c5c635c37a601
SHA1 a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512 8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

\Users\Admin\AppData\Roaming\system\images.exe

MD5 d36537604871b3550a9c5c635c37a601
SHA1 a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512 8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 d36537604871b3550a9c5c635c37a601
SHA1 a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512 8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

memory/1268-15-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/1268-17-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/1436-21-0x0000000000000000-mapping.dmp

memory/1404-22-0x0000000000000000-mapping.dmp

memory/1268-23-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/1624-24-0x0000000000000000-mapping.dmp

memory/1900-25-0x0000000000000000-mapping.dmp

memory/1864-26-0x0000000000000000-mapping.dmp

memory/912-27-0x0000000000000000-mapping.dmp

memory/1220-28-0x0000000000400000-0x0000000000454000-memory.dmp

memory/944-30-0x0000000000000000-mapping.dmp

memory/1220-29-0x000000000044C90E-mapping.dmp

memory/1220-31-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1220-32-0x0000000000400000-0x0000000000454000-memory.dmp

memory/968-34-0x0000000000000000-mapping.dmp

memory/1220-33-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2012-37-0x0000000000000000-mapping.dmp

memory/560-38-0x0000000000000000-mapping.dmp

memory/960-39-0x0000000000000000-mapping.dmp

memory/1460-40-0x0000000000000000-mapping.dmp

memory/1724-41-0x0000000000000000-mapping.dmp

memory/1928-42-0x0000000000000000-mapping.dmp

memory/1004-43-0x0000000000000000-mapping.dmp

memory/1420-44-0x0000000000000000-mapping.dmp

memory/1236-45-0x0000000000000000-mapping.dmp

memory/832-46-0x0000000000000000-mapping.dmp

memory/1908-47-0x0000000000000000-mapping.dmp

memory/1112-48-0x0000000000000000-mapping.dmp

memory/1396-49-0x0000000000000000-mapping.dmp

memory/1860-50-0x0000000000000000-mapping.dmp

memory/1596-51-0x0000000000000000-mapping.dmp

memory/560-52-0x0000000000000000-mapping.dmp

memory/1704-53-0x0000000000000000-mapping.dmp

memory/1084-54-0x0000000000000000-mapping.dmp

memory/1124-55-0x0000000000000000-mapping.dmp

memory/820-56-0x0000000000000000-mapping.dmp

memory/1272-57-0x0000000000000000-mapping.dmp

memory/1644-58-0x0000000000000000-mapping.dmp

memory/1428-59-0x0000000000000000-mapping.dmp

memory/1956-60-0x0000000000000000-mapping.dmp

memory/1112-61-0x0000000000000000-mapping.dmp

memory/1688-62-0x0000000000000000-mapping.dmp

memory/936-63-0x0000000000000000-mapping.dmp

memory/560-64-0x0000000000000000-mapping.dmp

memory/1692-65-0x0000000000000000-mapping.dmp

memory/620-66-0x0000000000000000-mapping.dmp

memory/884-67-0x0000000000000000-mapping.dmp

memory/1944-68-0x0000000000000000-mapping.dmp

memory/1324-69-0x0000000000000000-mapping.dmp

memory/1576-70-0x0000000000000000-mapping.dmp

memory/1732-71-0x0000000000000000-mapping.dmp

memory/940-72-0x0000000000000000-mapping.dmp

memory/1784-73-0x0000000000000000-mapping.dmp

memory/452-74-0x0000000000000000-mapping.dmp

memory/684-75-0x0000000000000000-mapping.dmp

memory/1980-76-0x0000000000000000-mapping.dmp

memory/1740-77-0x0000000000000000-mapping.dmp

memory/1644-78-0x0000000000000000-mapping.dmp

memory/1576-79-0x0000000000000000-mapping.dmp

memory/108-80-0x0000000000000000-mapping.dmp

memory/1688-81-0x0000000000000000-mapping.dmp

memory/1588-82-0x0000000000000000-mapping.dmp

memory/560-83-0x0000000000000000-mapping.dmp

memory/1132-84-0x0000000000000000-mapping.dmp

memory/912-85-0x0000000000000000-mapping.dmp

memory/1420-86-0x0000000000000000-mapping.dmp

memory/908-87-0x0000000000000000-mapping.dmp

memory/1984-88-0x0000000000000000-mapping.dmp

memory/1676-89-0x0000000000000000-mapping.dmp

memory/1504-90-0x0000000000000000-mapping.dmp

memory/1816-91-0x0000000000000000-mapping.dmp

memory/620-92-0x0000000000000000-mapping.dmp

memory/1892-93-0x0000000000000000-mapping.dmp

memory/1404-94-0x0000000000000000-mapping.dmp

memory/1984-95-0x0000000000000000-mapping.dmp

memory/1520-96-0x0000000000000000-mapping.dmp

memory/1972-97-0x0000000000000000-mapping.dmp

memory/620-98-0x0000000000000000-mapping.dmp

memory/1980-99-0x0000000000000000-mapping.dmp

memory/864-100-0x0000000000000000-mapping.dmp

memory/2004-101-0x0000000000000000-mapping.dmp

memory/1452-102-0x0000000000000000-mapping.dmp

memory/1460-103-0x0000000000000000-mapping.dmp

memory/1420-104-0x0000000000000000-mapping.dmp

memory/864-105-0x0000000000000000-mapping.dmp

memory/1588-106-0x0000000000000000-mapping.dmp

memory/108-107-0x0000000000000000-mapping.dmp

memory/1420-108-0x0000000000000000-mapping.dmp

memory/1584-109-0x0000000000000000-mapping.dmp

memory/1404-110-0x0000000000000000-mapping.dmp

memory/1860-111-0x0000000000000000-mapping.dmp

memory/1612-112-0x0000000000000000-mapping.dmp

memory/1032-113-0x0000000000000000-mapping.dmp

memory/1628-114-0x0000000000000000-mapping.dmp

memory/1612-115-0x0000000000000000-mapping.dmp

memory/1968-116-0x0000000000000000-mapping.dmp

memory/1588-117-0x0000000000000000-mapping.dmp

memory/916-118-0x0000000000000000-mapping.dmp

memory/940-119-0x0000000000000000-mapping.dmp

memory/1968-120-0x0000000000000000-mapping.dmp

memory/1404-121-0x0000000000000000-mapping.dmp

memory/1224-122-0x0000000000000000-mapping.dmp

memory/1968-123-0x0000000000000000-mapping.dmp

memory/1084-124-0x0000000000000000-mapping.dmp

memory/2060-125-0x0000000000000000-mapping.dmp

memory/2088-126-0x0000000000000000-mapping.dmp

memory/2104-127-0x0000000000000000-mapping.dmp

memory/2132-128-0x0000000000000000-mapping.dmp

memory/2148-129-0x0000000000000000-mapping.dmp

memory/2176-130-0x0000000000000000-mapping.dmp

memory/2192-131-0x0000000000000000-mapping.dmp

memory/2220-132-0x0000000000000000-mapping.dmp

memory/2236-133-0x0000000000000000-mapping.dmp

memory/2264-134-0x0000000000000000-mapping.dmp

memory/2280-135-0x0000000000000000-mapping.dmp

memory/2308-136-0x0000000000000000-mapping.dmp

memory/2324-137-0x0000000000000000-mapping.dmp

memory/2352-138-0x0000000000000000-mapping.dmp

memory/2368-139-0x0000000000000000-mapping.dmp

memory/2396-140-0x0000000000000000-mapping.dmp

memory/2416-141-0x0000000000000000-mapping.dmp

memory/2444-142-0x0000000000000000-mapping.dmp

memory/2460-143-0x0000000000000000-mapping.dmp

memory/2488-144-0x0000000000000000-mapping.dmp

memory/2504-145-0x0000000000000000-mapping.dmp

memory/2532-146-0x0000000000000000-mapping.dmp

memory/2548-147-0x0000000000000000-mapping.dmp

memory/2576-148-0x0000000000000000-mapping.dmp

memory/2592-149-0x0000000000000000-mapping.dmp

memory/2620-150-0x0000000000000000-mapping.dmp

memory/2636-151-0x0000000000000000-mapping.dmp

memory/2664-152-0x0000000000000000-mapping.dmp

memory/2680-153-0x0000000000000000-mapping.dmp

memory/2708-154-0x0000000000000000-mapping.dmp

memory/2724-155-0x0000000000000000-mapping.dmp

memory/2752-156-0x0000000000000000-mapping.dmp

memory/2768-157-0x0000000000000000-mapping.dmp

memory/2796-158-0x0000000000000000-mapping.dmp

memory/2812-159-0x0000000000000000-mapping.dmp

memory/2840-160-0x0000000000000000-mapping.dmp

memory/2856-161-0x0000000000000000-mapping.dmp

memory/2884-162-0x0000000000000000-mapping.dmp

memory/2900-163-0x0000000000000000-mapping.dmp

memory/2928-164-0x0000000000000000-mapping.dmp

memory/2944-165-0x0000000000000000-mapping.dmp

memory/2972-166-0x0000000000000000-mapping.dmp

memory/2988-167-0x0000000000000000-mapping.dmp

memory/3016-168-0x0000000000000000-mapping.dmp

memory/3032-169-0x0000000000000000-mapping.dmp

memory/3060-170-0x0000000000000000-mapping.dmp

memory/1680-171-0x0000000000000000-mapping.dmp

memory/2076-172-0x0000000000000000-mapping.dmp

memory/2084-173-0x0000000000000000-mapping.dmp

memory/2136-174-0x0000000000000000-mapping.dmp

memory/2124-175-0x0000000000000000-mapping.dmp

memory/2168-176-0x0000000000000000-mapping.dmp

memory/1604-177-0x0000000000000000-mapping.dmp

memory/2196-178-0x0000000000000000-mapping.dmp

memory/2244-179-0x0000000000000000-mapping.dmp

memory/2256-180-0x0000000000000000-mapping.dmp

memory/268-181-0x0000000000000000-mapping.dmp

memory/2292-182-0x0000000000000000-mapping.dmp

memory/2356-183-0x0000000000000000-mapping.dmp

memory/2376-184-0x0000000000000000-mapping.dmp

memory/2396-185-0x0000000000000000-mapping.dmp

memory/2432-186-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-02 14:43

Reported

2020-11-02 14:45

Platform

win10v20201028

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3944 set thread context of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 564 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 564 wrote to memory of 3944 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 3944 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 3672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 3944 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2184 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2084 wrote to memory of 692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3040 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3828 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3828 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3828 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2944 wrote to memory of 792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3680 wrote to memory of 3668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1704 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2096 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2096 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 372 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 372 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 372 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 372 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 3396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 3784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 1716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1420 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1420 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1420 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2520 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2520 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2144 wrote to memory of 3488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 976 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 976 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 976 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 976 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2564 wrote to memory of 2276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 728 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 728 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1048 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1048 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1572 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1572 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 980 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 980 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 980 wrote to memory of 3600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1392 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1640 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1640 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1120 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1120 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1424 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 560 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 560 wrote to memory of 3956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2524 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1844 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1844 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1844 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 188 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 188 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 188 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4120 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4188 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4188 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4256 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4256 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4256 wrote to memory of 4300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4324 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4324 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4392 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4392 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4392 wrote to memory of 4436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4460 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4460 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4460 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4528 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4528 wrote to memory of 4572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4664 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4664 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4732 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4732 wrote to memory of 4776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4800 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4868 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4868 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4936 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5004 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5004 wrote to memory of 5048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5072 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2152 wrote to memory of 4180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4144 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4144 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4144 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4340 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4340 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4340 wrote to memory of 4344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4448 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4448 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4500 wrote to memory of 4584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4552 wrote to memory of 4636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4608 wrote to memory of 4684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4784 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4848 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4848 wrote to memory of 4884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4908 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4908 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4956 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5024 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5024 wrote to memory of 5076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4224 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4224 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4260 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4432 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4600 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4676 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4756 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4824 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4824 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4136 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4136 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4240 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4240 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4312 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4312 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4480 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4480 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4696 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4696 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4716 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4716 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4716 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4924 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4924 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 748 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 748 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4996 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4996 wrote to memory of 4972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5104 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5104 wrote to memory of 5088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4276 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4276 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4328 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4328 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4352 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4352 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4588 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4588 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4712 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4080 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4080 wrote to memory of 2076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3944 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5108 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation591773251.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Users\Admin\AppData\Roaming\system\images.exe

"C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ada.urown.cloud udp
N/A 194.5.97.146:5200 ada.urown.cloud tcp

Files

memory/1304-0-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/1304-1-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/1304-3-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1304-4-0x00000000055B0000-0x00000000055C7000-memory.dmp

memory/1304-5-0x0000000007BE0000-0x0000000007BFF000-memory.dmp

memory/1304-6-0x00000000083A0000-0x00000000083A1000-memory.dmp

memory/1304-7-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

memory/1044-8-0x0000000000000000-mapping.dmp

memory/564-9-0x0000000000000000-mapping.dmp

memory/3944-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 d36537604871b3550a9c5c635c37a601
SHA1 a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512 8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 d36537604871b3550a9c5c635c37a601
SHA1 a5360105e7b4d5316c88e5403013dd395c1ab145
SHA256 4f3145508f4292ca3bfb6d9d4284b50df0834743676e6b951e71b4248d0d1a72
SHA512 8b0c31bae27b95ee726fb77a2e0c6b82e599f73ad93d0fcf8c853cca2daf285796d0175ea1d5e0cfb3a40d5b80958a6c1d821b10eb241cba95a7c909ffe04df9

memory/3944-13-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2164-21-0x0000000000000000-mapping.dmp

memory/3672-22-0x0000000000000000-mapping.dmp

memory/3944-23-0x0000000009720000-0x000000000972A000-memory.dmp

memory/3944-25-0x00000000098A0000-0x00000000098A1000-memory.dmp

memory/2184-24-0x0000000000000000-mapping.dmp

memory/2648-26-0x0000000000000000-mapping.dmp

memory/1836-27-0x0000000000000000-mapping.dmp

memory/988-28-0x0000000000000000-mapping.dmp

memory/2072-29-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2072-30-0x000000000044C90E-mapping.dmp

memory/2072-31-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2072-32-0x0000000073C50000-0x000000007433E000-memory.dmp

memory/2084-34-0x0000000000000000-mapping.dmp

memory/692-37-0x0000000000000000-mapping.dmp

memory/2072-39-0x0000000005060000-0x0000000005061000-memory.dmp

memory/3040-41-0x0000000000000000-mapping.dmp

memory/1368-42-0x0000000000000000-mapping.dmp

memory/3828-43-0x0000000000000000-mapping.dmp

memory/1444-44-0x0000000000000000-mapping.dmp

memory/2944-45-0x0000000000000000-mapping.dmp

memory/792-46-0x0000000000000000-mapping.dmp

memory/2072-47-0x0000000007320000-0x0000000007321000-memory.dmp

memory/3680-48-0x0000000000000000-mapping.dmp

memory/3668-49-0x0000000000000000-mapping.dmp

memory/2072-50-0x0000000008FD0000-0x0000000008FD1000-memory.dmp

memory/1704-51-0x0000000000000000-mapping.dmp

memory/812-52-0x0000000000000000-mapping.dmp

memory/796-53-0x0000000000000000-mapping.dmp

memory/1308-54-0x0000000000000000-mapping.dmp

memory/2552-55-0x0000000000000000-mapping.dmp

memory/3424-56-0x0000000000000000-mapping.dmp

memory/2096-57-0x0000000000000000-mapping.dmp

memory/416-58-0x0000000000000000-mapping.dmp

memory/372-59-0x0000000000000000-mapping.dmp

memory/1728-60-0x0000000000000000-mapping.dmp

memory/808-61-0x0000000000000000-mapping.dmp

memory/3396-62-0x0000000000000000-mapping.dmp

memory/1620-63-0x0000000000000000-mapping.dmp

memory/3784-64-0x0000000000000000-mapping.dmp

memory/2328-65-0x0000000000000000-mapping.dmp

memory/1716-66-0x0000000000000000-mapping.dmp

memory/1420-67-0x0000000000000000-mapping.dmp

memory/2796-68-0x0000000000000000-mapping.dmp

memory/2520-69-0x0000000000000000-mapping.dmp

memory/4040-70-0x0000000000000000-mapping.dmp

memory/2144-71-0x0000000000000000-mapping.dmp

memory/3488-72-0x0000000000000000-mapping.dmp

memory/976-73-0x0000000000000000-mapping.dmp

memory/1320-74-0x0000000000000000-mapping.dmp

memory/2500-75-0x0000000000000000-mapping.dmp

memory/2292-76-0x0000000000000000-mapping.dmp

memory/2564-77-0x0000000000000000-mapping.dmp

memory/2276-78-0x0000000000000000-mapping.dmp

memory/728-79-0x0000000000000000-mapping.dmp

memory/3692-80-0x0000000000000000-mapping.dmp

memory/2136-81-0x0000000000000000-mapping.dmp

memory/968-82-0x0000000000000000-mapping.dmp

memory/1048-83-0x0000000000000000-mapping.dmp

memory/1520-84-0x0000000000000000-mapping.dmp

memory/1572-85-0x0000000000000000-mapping.dmp

memory/3928-86-0x0000000000000000-mapping.dmp

memory/3656-87-0x0000000000000000-mapping.dmp

memory/552-88-0x0000000000000000-mapping.dmp

memory/980-89-0x0000000000000000-mapping.dmp

memory/3600-90-0x0000000000000000-mapping.dmp

memory/1392-91-0x0000000000000000-mapping.dmp

memory/1268-92-0x0000000000000000-mapping.dmp

memory/1640-93-0x0000000000000000-mapping.dmp

memory/3140-94-0x0000000000000000-mapping.dmp

memory/1120-95-0x0000000000000000-mapping.dmp

memory/1056-96-0x0000000000000000-mapping.dmp

memory/1424-97-0x0000000000000000-mapping.dmp

memory/1784-98-0x0000000000000000-mapping.dmp

memory/560-99-0x0000000000000000-mapping.dmp

memory/3956-100-0x0000000000000000-mapping.dmp

memory/2732-101-0x0000000000000000-mapping.dmp

memory/2880-102-0x0000000000000000-mapping.dmp

memory/2524-103-0x0000000000000000-mapping.dmp

memory/2800-104-0x0000000000000000-mapping.dmp

memory/1844-105-0x0000000000000000-mapping.dmp

memory/1128-106-0x0000000000000000-mapping.dmp

memory/1796-107-0x0000000000000000-mapping.dmp

memory/2464-108-0x0000000000000000-mapping.dmp

memory/188-109-0x0000000000000000-mapping.dmp

memory/2280-110-0x0000000000000000-mapping.dmp

memory/4120-111-0x0000000000000000-mapping.dmp

memory/4164-112-0x0000000000000000-mapping.dmp

memory/4188-113-0x0000000000000000-mapping.dmp

memory/4232-114-0x0000000000000000-mapping.dmp

memory/4256-115-0x0000000000000000-mapping.dmp

memory/4300-116-0x0000000000000000-mapping.dmp

memory/4324-117-0x0000000000000000-mapping.dmp

memory/4368-118-0x0000000000000000-mapping.dmp

memory/4392-119-0x0000000000000000-mapping.dmp

memory/4436-120-0x0000000000000000-mapping.dmp

memory/4460-121-0x0000000000000000-mapping.dmp

memory/4504-122-0x0000000000000000-mapping.dmp

memory/4528-123-0x0000000000000000-mapping.dmp

memory/4572-124-0x0000000000000000-mapping.dmp

memory/4596-125-0x0000000000000000-mapping.dmp

memory/4640-126-0x0000000000000000-mapping.dmp

memory/4664-127-0x0000000000000000-mapping.dmp

memory/4708-128-0x0000000000000000-mapping.dmp

memory/4732-129-0x0000000000000000-mapping.dmp

memory/4776-130-0x0000000000000000-mapping.dmp

memory/4800-131-0x0000000000000000-mapping.dmp

memory/4844-132-0x0000000000000000-mapping.dmp

memory/4868-133-0x0000000000000000-mapping.dmp

memory/4912-134-0x0000000000000000-mapping.dmp

memory/4936-135-0x0000000000000000-mapping.dmp

memory/4980-136-0x0000000000000000-mapping.dmp

memory/5004-137-0x0000000000000000-mapping.dmp

memory/5048-138-0x0000000000000000-mapping.dmp

memory/5072-139-0x0000000000000000-mapping.dmp

memory/5116-140-0x0000000000000000-mapping.dmp

memory/2152-141-0x0000000000000000-mapping.dmp

memory/4180-142-0x0000000000000000-mapping.dmp

memory/4144-143-0x0000000000000000-mapping.dmp

memory/4216-144-0x0000000000000000-mapping.dmp

memory/4200-145-0x0000000000000000-mapping.dmp

memory/4280-146-0x0000000000000000-mapping.dmp

memory/4340-147-0x0000000000000000-mapping.dmp

memory/4344-148-0x0000000000000000-mapping.dmp

memory/4448-149-0x0000000000000000-mapping.dmp

memory/4476-150-0x0000000000000000-mapping.dmp

memory/4500-151-0x0000000000000000-mapping.dmp

memory/4584-152-0x0000000000000000-mapping.dmp

memory/4552-153-0x0000000000000000-mapping.dmp

memory/4636-154-0x0000000000000000-mapping.dmp

memory/4608-155-0x0000000000000000-mapping.dmp

memory/4684-156-0x0000000000000000-mapping.dmp

memory/4784-157-0x0000000000000000-mapping.dmp

memory/4744-158-0x0000000000000000-mapping.dmp

memory/4848-159-0x0000000000000000-mapping.dmp

memory/4884-160-0x0000000000000000-mapping.dmp

memory/4908-161-0x0000000000000000-mapping.dmp

memory/4992-162-0x0000000000000000-mapping.dmp

memory/4956-163-0x0000000000000000-mapping.dmp

memory/5032-164-0x0000000000000000-mapping.dmp

memory/5024-165-0x0000000000000000-mapping.dmp

memory/5076-166-0x0000000000000000-mapping.dmp

memory/2132-167-0x0000000000000000-mapping.dmp

memory/1272-168-0x0000000000000000-mapping.dmp

memory/4224-169-0x0000000000000000-mapping.dmp

memory/4304-170-0x0000000000000000-mapping.dmp

memory/4260-171-0x0000000000000000-mapping.dmp

memory/4408-172-0x0000000000000000-mapping.dmp

memory/4364-173-0x0000000000000000-mapping.dmp

memory/4428-174-0x0000000000000000-mapping.dmp

memory/4432-175-0x0000000000000000-mapping.dmp

memory/4472-176-0x0000000000000000-mapping.dmp

memory/4600-177-0x0000000000000000-mapping.dmp

memory/4540-178-0x0000000000000000-mapping.dmp

memory/4676-179-0x0000000000000000-mapping.dmp

memory/4816-180-0x0000000000000000-mapping.dmp

memory/4756-181-0x0000000000000000-mapping.dmp

memory/4920-182-0x0000000000000000-mapping.dmp

memory/4824-183-0x0000000000000000-mapping.dmp

memory/4900-184-0x0000000000000000-mapping.dmp

memory/2156-185-0x0000000000000000-mapping.dmp

memory/5012-186-0x0000000000000000-mapping.dmp

memory/5092-187-0x0000000000000000-mapping.dmp

memory/4176-188-0x0000000000000000-mapping.dmp

memory/4136-189-0x0000000000000000-mapping.dmp

memory/2112-190-0x0000000000000000-mapping.dmp

memory/4240-191-0x0000000000000000-mapping.dmp

memory/4444-192-0x0000000000000000-mapping.dmp

memory/4312-193-0x0000000000000000-mapping.dmp

memory/4508-194-0x0000000000000000-mapping.dmp

memory/4480-195-0x0000000000000000-mapping.dmp

memory/4556-196-0x0000000000000000-mapping.dmp

memory/4696-197-0x0000000000000000-mapping.dmp

memory/4852-198-0x0000000000000000-mapping.dmp

memory/4716-199-0x0000000000000000-mapping.dmp

memory/4876-200-0x0000000000000000-mapping.dmp

memory/4924-201-0x0000000000000000-mapping.dmp

memory/992-202-0x0000000000000000-mapping.dmp

memory/748-203-0x0000000000000000-mapping.dmp

memory/4888-204-0x0000000000000000-mapping.dmp

memory/4996-205-0x0000000000000000-mapping.dmp

memory/4972-206-0x0000000000000000-mapping.dmp

memory/5104-207-0x0000000000000000-mapping.dmp

memory/5088-208-0x0000000000000000-mapping.dmp

memory/4276-209-0x0000000000000000-mapping.dmp

memory/4156-210-0x0000000000000000-mapping.dmp

memory/4328-211-0x0000000000000000-mapping.dmp

memory/4496-212-0x0000000000000000-mapping.dmp

memory/4352-213-0x0000000000000000-mapping.dmp

memory/4464-214-0x0000000000000000-mapping.dmp

memory/4588-215-0x0000000000000000-mapping.dmp

memory/4628-216-0x0000000000000000-mapping.dmp

memory/4712-217-0x0000000000000000-mapping.dmp

memory/4704-218-0x0000000000000000-mapping.dmp

memory/4080-219-0x0000000000000000-mapping.dmp

memory/2076-220-0x0000000000000000-mapping.dmp

memory/4892-221-0x0000000000000000-mapping.dmp

memory/5020-222-0x0000000000000000-mapping.dmp

memory/5108-223-0x0000000000000000-mapping.dmp

memory/4108-224-0x0000000000000000-mapping.dmp