84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878

Resubmissions

07-07-2022 07:38

220707-jgwxasfbgj 10

06-11-2020 17:38

201106-dv6jg3j51e 8

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Booking Confirmation 110492024951 - copy - PDF.exe
Size

783KB
MD5

f867516ec5e600fb4af968c71b9a2a80
SHA1

701970eb6a98cbc8661562155796f0491cf36efe
SHA256

84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512

d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

Score

8^/10

persistence spyware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1808	images.exe

Loads dropped DLL 1 IoCs

pid	Process
672	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 156 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1720	1808	images.exe	40

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2036	Booking Confirmation 110492024951 - copy - PDF.exe
1808	images.exe
1720	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	Booking Confirmation 110492024951 - copy - PDF.exe
Token: SeDebugPrivilege	1808	images.exe
Token: SeDebugPrivilege	1720	InstallUtil.exe

Suspicious use of WriteProcessMemory 652 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1120	2036	Booking Confirmation 110492024951 - copy - PDF.exe	30
PID 2036 wrote to memory of 1120	2036	Booking Confirmation 110492024951 - copy - PDF.exe	30
PID 2036 wrote to memory of 1120	2036	Booking Confirmation 110492024951 - copy - PDF.exe	30
PID 2036 wrote to memory of 1120	2036	Booking Confirmation 110492024951 - copy - PDF.exe	30
PID 2036 wrote to memory of 672	2036	Booking Confirmation 110492024951 - copy - PDF.exe	32
PID 2036 wrote to memory of 672	2036	Booking Confirmation 110492024951 - copy - PDF.exe	32
PID 2036 wrote to memory of 672	2036	Booking Confirmation 110492024951 - copy - PDF.exe	32
PID 2036 wrote to memory of 672	2036	Booking Confirmation 110492024951 - copy - PDF.exe	32
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 672 wrote to memory of 1808	672	cmd.exe	34
PID 1808 wrote to memory of 1584	1808	images.exe	35
PID 1808 wrote to memory of 1584	1808	images.exe	35
PID 1808 wrote to memory of 1584	1808	images.exe	35
PID 1808 wrote to memory of 1584	1808	images.exe	35
PID 1584 wrote to memory of 1508	1584	cmd.exe	37
PID 1584 wrote to memory of 1508	1584	cmd.exe	37
PID 1584 wrote to memory of 1508	1584	cmd.exe	37
PID 1584 wrote to memory of 1508	1584	cmd.exe	37
PID 1808 wrote to memory of 1972	1808	images.exe	38
PID 1808 wrote to memory of 1972	1808	images.exe	38
PID 1808 wrote to memory of 1972	1808	images.exe	38
PID 1808 wrote to memory of 1972	1808	images.exe	38
PID 1972 wrote to memory of 1688	1972	cmd.exe	41
PID 1972 wrote to memory of 1688	1972	cmd.exe	41
PID 1972 wrote to memory of 1688	1972	cmd.exe	41
PID 1972 wrote to memory of 1688	1972	cmd.exe	41
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1720	1808	images.exe	40
PID 1808 wrote to memory of 1744	1808	images.exe	42
PID 1808 wrote to memory of 1744	1808	images.exe	42
PID 1808 wrote to memory of 1744	1808	images.exe	42
PID 1808 wrote to memory of 1744	1808	images.exe	42
PID 1744 wrote to memory of 1532	1744	cmd.exe	44
PID 1744 wrote to memory of 1532	1744	cmd.exe	44
PID 1744 wrote to memory of 1532	1744	cmd.exe	44
PID 1744 wrote to memory of 1532	1744	cmd.exe	44
PID 1808 wrote to memory of 944	1808	images.exe	45
PID 1808 wrote to memory of 944	1808	images.exe	45
PID 1808 wrote to memory of 944	1808	images.exe	45
PID 1808 wrote to memory of 944	1808	images.exe	45
PID 944 wrote to memory of 280	944	cmd.exe	47
PID 944 wrote to memory of 280	944	cmd.exe	47
PID 944 wrote to memory of 280	944	cmd.exe	47
PID 944 wrote to memory of 280	944	cmd.exe	47
PID 1808 wrote to memory of 1980	1808	images.exe	48
PID 1808 wrote to memory of 1980	1808	images.exe	48
PID 1808 wrote to memory of 1980	1808	images.exe	48
PID 1808 wrote to memory of 1980	1808	images.exe	48
PID 1980 wrote to memory of 1912	1980	cmd.exe	50
PID 1980 wrote to memory of 1912	1980	cmd.exe	50
PID 1980 wrote to memory of 1912	1980	cmd.exe	50
PID 1980 wrote to memory of 1912	1980	cmd.exe	50
PID 1808 wrote to memory of 1924	1808	images.exe	51
PID 1808 wrote to memory of 1924	1808	images.exe	51
PID 1808 wrote to memory of 1924	1808	images.exe	51
PID 1808 wrote to memory of 1924	1808	images.exe	51
PID 1924 wrote to memory of 1416	1924	cmd.exe	53
PID 1924 wrote to memory of 1416	1924	cmd.exe	53
PID 1924 wrote to memory of 1416	1924	cmd.exe	53
PID 1924 wrote to memory of 1416	1924	cmd.exe	53
PID 1808 wrote to memory of 1524	1808	images.exe	54
PID 1808 wrote to memory of 1524	1808	images.exe	54
PID 1808 wrote to memory of 1524	1808	images.exe	54
PID 1808 wrote to memory of 1524	1808	images.exe	54
PID 1524 wrote to memory of 1832	1524	cmd.exe	56
PID 1524 wrote to memory of 1832	1524	cmd.exe	56
PID 1524 wrote to memory of 1832	1524	cmd.exe	56
PID 1524 wrote to memory of 1832	1524	cmd.exe	56
PID 1808 wrote to memory of 1312	1808	images.exe	57
PID 1808 wrote to memory of 1312	1808	images.exe	57
PID 1808 wrote to memory of 1312	1808	images.exe	57
PID 1808 wrote to memory of 1312	1808	images.exe	57
PID 1312 wrote to memory of 1544	1312	cmd.exe	59
PID 1312 wrote to memory of 1544	1312	cmd.exe	59
PID 1312 wrote to memory of 1544	1312	cmd.exe	59
PID 1312 wrote to memory of 1544	1312	cmd.exe	59
PID 1808 wrote to memory of 1564	1808	images.exe	60
PID 1808 wrote to memory of 1564	1808	images.exe	60
PID 1808 wrote to memory of 1564	1808	images.exe	60
PID 1808 wrote to memory of 1564	1808	images.exe	60
PID 1564 wrote to memory of 1964	1564	cmd.exe	62
PID 1564 wrote to memory of 1964	1564	cmd.exe	62
PID 1564 wrote to memory of 1964	1564	cmd.exe	62
PID 1564 wrote to memory of 1964	1564	cmd.exe	62
PID 1808 wrote to memory of 1364	1808	images.exe	63
PID 1808 wrote to memory of 1364	1808	images.exe	63
PID 1808 wrote to memory of 1364	1808	images.exe	63
PID 1808 wrote to memory of 1364	1808	images.exe	63
PID 1364 wrote to memory of 1644	1364	cmd.exe	65
PID 1364 wrote to memory of 1644	1364	cmd.exe	65
PID 1364 wrote to memory of 1644	1364	cmd.exe	65
PID 1364 wrote to memory of 1644	1364	cmd.exe	65
PID 1808 wrote to memory of 968	1808	images.exe	66
PID 1808 wrote to memory of 968	1808	images.exe	66
PID 1808 wrote to memory of 968	1808	images.exe	66
PID 1808 wrote to memory of 968	1808	images.exe	66
PID 968 wrote to memory of 272	968	cmd.exe	68
PID 968 wrote to memory of 272	968	cmd.exe	68
PID 968 wrote to memory of 272	968	cmd.exe	68
PID 968 wrote to memory of 272	968	cmd.exe	68
PID 1808 wrote to memory of 1540	1808	images.exe	69
PID 1808 wrote to memory of 1540	1808	images.exe	69
PID 1808 wrote to memory of 1540	1808	images.exe	69
PID 1808 wrote to memory of 1540	1808	images.exe	69
PID 1540 wrote to memory of 1892	1540	cmd.exe	71
PID 1540 wrote to memory of 1892	1540	cmd.exe	71
PID 1540 wrote to memory of 1892	1540	cmd.exe	71
PID 1540 wrote to memory of 1892	1540	cmd.exe	71
PID 1808 wrote to memory of 760	1808	images.exe	72
PID 1808 wrote to memory of 760	1808	images.exe	72
PID 1808 wrote to memory of 760	1808	images.exe	72
PID 1808 wrote to memory of 760	1808	images.exe	72
PID 760 wrote to memory of 2028	760	cmd.exe	74
PID 760 wrote to memory of 2028	760	cmd.exe	74
PID 760 wrote to memory of 2028	760	cmd.exe	74
PID 760 wrote to memory of 2028	760	cmd.exe	74
PID 1808 wrote to memory of 1308	1808	images.exe	75
PID 1808 wrote to memory of 1308	1808	images.exe	75
PID 1808 wrote to memory of 1308	1808	images.exe	75
PID 1808 wrote to memory of 1308	1808	images.exe	75
PID 1308 wrote to memory of 1824	1308	cmd.exe	77
PID 1308 wrote to memory of 1824	1308	cmd.exe	77
PID 1308 wrote to memory of 1824	1308	cmd.exe	77
PID 1308 wrote to memory of 1824	1308	cmd.exe	77
PID 1808 wrote to memory of 1544	1808	images.exe	78
PID 1808 wrote to memory of 1544	1808	images.exe	78
PID 1808 wrote to memory of 1544	1808	images.exe	78
PID 1808 wrote to memory of 1544	1808	images.exe	78
PID 1544 wrote to memory of 844	1544	cmd.exe	80
PID 1544 wrote to memory of 844	1544	cmd.exe	80
PID 1544 wrote to memory of 844	1544	cmd.exe	80
PID 1544 wrote to memory of 844	1544	cmd.exe	80
PID 1808 wrote to memory of 1796	1808	images.exe	81
PID 1808 wrote to memory of 1796	1808	images.exe	81
PID 1808 wrote to memory of 1796	1808	images.exe	81
PID 1808 wrote to memory of 1796	1808	images.exe	81
PID 1796 wrote to memory of 564	1796	cmd.exe	83
PID 1796 wrote to memory of 564	1796	cmd.exe	83
PID 1796 wrote to memory of 564	1796	cmd.exe	83
PID 1796 wrote to memory of 564	1796	cmd.exe	83
PID 1808 wrote to memory of 876	1808	images.exe	84
PID 1808 wrote to memory of 876	1808	images.exe	84
PID 1808 wrote to memory of 876	1808	images.exe	84
PID 1808 wrote to memory of 876	1808	images.exe	84
PID 876 wrote to memory of 532	876	cmd.exe	86
PID 876 wrote to memory of 532	876	cmd.exe	86
PID 876 wrote to memory of 532	876	cmd.exe	86
PID 876 wrote to memory of 532	876	cmd.exe	86
PID 1808 wrote to memory of 772	1808	images.exe	87
PID 1808 wrote to memory of 772	1808	images.exe	87
PID 1808 wrote to memory of 772	1808	images.exe	87
PID 1808 wrote to memory of 772	1808	images.exe	87
PID 772 wrote to memory of 1892	772	cmd.exe	89
PID 772 wrote to memory of 1892	772	cmd.exe	89
PID 772 wrote to memory of 1892	772	cmd.exe	89
PID 772 wrote to memory of 1892	772	cmd.exe	89
PID 1808 wrote to memory of 2036	1808	images.exe	90
PID 1808 wrote to memory of 2036	1808	images.exe	90
PID 1808 wrote to memory of 2036	1808	images.exe	90
PID 1808 wrote to memory of 2036	1808	images.exe	90
PID 2036 wrote to memory of 1404	2036	cmd.exe	92
PID 2036 wrote to memory of 1404	2036	cmd.exe	92
PID 2036 wrote to memory of 1404	2036	cmd.exe	92
PID 2036 wrote to memory of 1404	2036	cmd.exe	92
PID 1808 wrote to memory of 1832	1808	images.exe	93
PID 1808 wrote to memory of 1832	1808	images.exe	93
PID 1808 wrote to memory of 1832	1808	images.exe	93
PID 1808 wrote to memory of 1832	1808	images.exe	93
PID 1832 wrote to memory of 900	1832	cmd.exe	95
PID 1832 wrote to memory of 900	1832	cmd.exe	95
PID 1832 wrote to memory of 900	1832	cmd.exe	95
PID 1832 wrote to memory of 900	1832	cmd.exe	95
PID 1808 wrote to memory of 1964	1808	images.exe	96
PID 1808 wrote to memory of 1964	1808	images.exe	96
PID 1808 wrote to memory of 1964	1808	images.exe	96
PID 1808 wrote to memory of 1964	1808	images.exe	96
PID 1964 wrote to memory of 1688	1964	cmd.exe	98
PID 1964 wrote to memory of 1688	1964	cmd.exe	98
PID 1964 wrote to memory of 1688	1964	cmd.exe	98
PID 1964 wrote to memory of 1688	1964	cmd.exe	98
PID 1808 wrote to memory of 564	1808	images.exe	99
PID 1808 wrote to memory of 564	1808	images.exe	99
PID 1808 wrote to memory of 564	1808	images.exe	99
PID 1808 wrote to memory of 564	1808	images.exe	99
PID 564 wrote to memory of 272	564	cmd.exe	101
PID 564 wrote to memory of 272	564	cmd.exe	101
PID 564 wrote to memory of 272	564	cmd.exe	101
PID 564 wrote to memory of 272	564	cmd.exe	101
PID 1808 wrote to memory of 872	1808	images.exe	102
PID 1808 wrote to memory of 872	1808	images.exe	102
PID 1808 wrote to memory of 872	1808	images.exe	102
PID 1808 wrote to memory of 872	1808	images.exe	102
PID 872 wrote to memory of 1892	872	cmd.exe	104
PID 872 wrote to memory of 1892	872	cmd.exe	104
PID 872 wrote to memory of 1892	872	cmd.exe	104
PID 872 wrote to memory of 1892	872	cmd.exe	104
PID 1808 wrote to memory of 2012	1808	images.exe	105
PID 1808 wrote to memory of 2012	1808	images.exe	105
PID 1808 wrote to memory of 2012	1808	images.exe	105
PID 1808 wrote to memory of 2012	1808	images.exe	105
PID 2012 wrote to memory of 1360	2012	cmd.exe	107
PID 2012 wrote to memory of 1360	2012	cmd.exe	107
PID 2012 wrote to memory of 1360	2012	cmd.exe	107
PID 2012 wrote to memory of 1360	2012	cmd.exe	107
PID 1808 wrote to memory of 1824	1808	images.exe	108
PID 1808 wrote to memory of 1824	1808	images.exe	108
PID 1808 wrote to memory of 1824	1808	images.exe	108
PID 1808 wrote to memory of 1824	1808	images.exe	108
PID 1824 wrote to memory of 788	1824	cmd.exe	110
PID 1824 wrote to memory of 788	1824	cmd.exe	110
PID 1824 wrote to memory of 788	1824	cmd.exe	110
PID 1824 wrote to memory of 788	1824	cmd.exe	110
PID 1808 wrote to memory of 576	1808	images.exe	111
PID 1808 wrote to memory of 576	1808	images.exe	111
PID 1808 wrote to memory of 576	1808	images.exe	111
PID 1808 wrote to memory of 576	1808	images.exe	111
PID 576 wrote to memory of 1532	576	cmd.exe	113
PID 576 wrote to memory of 1532	576	cmd.exe	113
PID 576 wrote to memory of 1532	576	cmd.exe	113
PID 576 wrote to memory of 1532	576	cmd.exe	113
PID 1808 wrote to memory of 972	1808	images.exe	114
PID 1808 wrote to memory of 972	1808	images.exe	114
PID 1808 wrote to memory of 972	1808	images.exe	114
PID 1808 wrote to memory of 972	1808	images.exe	114
PID 972 wrote to memory of 2008	972	cmd.exe	116
PID 972 wrote to memory of 2008	972	cmd.exe	116
PID 972 wrote to memory of 2008	972	cmd.exe	116
PID 972 wrote to memory of 2008	972	cmd.exe	116
PID 1808 wrote to memory of 1912	1808	images.exe	117
PID 1808 wrote to memory of 1912	1808	images.exe	117
PID 1808 wrote to memory of 1912	1808	images.exe	117
PID 1808 wrote to memory of 1912	1808	images.exe	117
PID 1912 wrote to memory of 952	1912	cmd.exe	119
PID 1912 wrote to memory of 952	1912	cmd.exe	119
PID 1912 wrote to memory of 952	1912	cmd.exe	119
PID 1912 wrote to memory of 952	1912	cmd.exe	119
PID 1808 wrote to memory of 528	1808	images.exe	120
PID 1808 wrote to memory of 528	1808	images.exe	120
PID 1808 wrote to memory of 528	1808	images.exe	120
PID 1808 wrote to memory of 528	1808	images.exe	120
PID 528 wrote to memory of 1552	528	cmd.exe	122
PID 528 wrote to memory of 1552	528	cmd.exe	122
PID 528 wrote to memory of 1552	528	cmd.exe	122
PID 528 wrote to memory of 1552	528	cmd.exe	122
PID 1808 wrote to memory of 816	1808	images.exe	123
PID 1808 wrote to memory of 816	1808	images.exe	123
PID 1808 wrote to memory of 816	1808	images.exe	123
PID 1808 wrote to memory of 816	1808	images.exe	123
PID 816 wrote to memory of 1772	816	cmd.exe	125
PID 816 wrote to memory of 1772	816	cmd.exe	125
PID 816 wrote to memory of 1772	816	cmd.exe	125
PID 816 wrote to memory of 1772	816	cmd.exe	125
PID 1808 wrote to memory of 1904	1808	images.exe	126
PID 1808 wrote to memory of 1904	1808	images.exe	126
PID 1808 wrote to memory of 1904	1808	images.exe	126
PID 1808 wrote to memory of 1904	1808	images.exe	126
PID 1904 wrote to memory of 1260	1904	cmd.exe	128
PID 1904 wrote to memory of 1260	1904	cmd.exe	128
PID 1904 wrote to memory of 1260	1904	cmd.exe	128
PID 1904 wrote to memory of 1260	1904	cmd.exe	128
PID 1808 wrote to memory of 952	1808	images.exe	129
PID 1808 wrote to memory of 952	1808	images.exe	129
PID 1808 wrote to memory of 952	1808	images.exe	129
PID 1808 wrote to memory of 952	1808	images.exe	129
PID 952 wrote to memory of 1248	952	cmd.exe	131
PID 952 wrote to memory of 1248	952	cmd.exe	131
PID 952 wrote to memory of 1248	952	cmd.exe	131
PID 952 wrote to memory of 1248	952	cmd.exe	131
PID 1808 wrote to memory of 1232	1808	images.exe	132
PID 1808 wrote to memory of 1232	1808	images.exe	132
PID 1808 wrote to memory of 1232	1808	images.exe	132
PID 1808 wrote to memory of 1232	1808	images.exe	132
PID 1232 wrote to memory of 960	1232	cmd.exe	134
PID 1232 wrote to memory of 960	1232	cmd.exe	134
PID 1232 wrote to memory of 960	1232	cmd.exe	134
PID 1232 wrote to memory of 960	1232	cmd.exe	134
PID 1808 wrote to memory of 1632	1808	images.exe	135
PID 1808 wrote to memory of 1632	1808	images.exe	135
PID 1808 wrote to memory of 1632	1808	images.exe	135
PID 1808 wrote to memory of 1632	1808	images.exe	135
PID 1632 wrote to memory of 1260	1632	cmd.exe	137
PID 1632 wrote to memory of 1260	1632	cmd.exe	137
PID 1632 wrote to memory of 1260	1632	cmd.exe	137
PID 1632 wrote to memory of 1260	1632	cmd.exe	137
PID 1808 wrote to memory of 1624	1808	images.exe	138
PID 1808 wrote to memory of 1624	1808	images.exe	138
PID 1808 wrote to memory of 1624	1808	images.exe	138
PID 1808 wrote to memory of 1624	1808	images.exe	138
PID 1624 wrote to memory of 1368	1624	cmd.exe	140
PID 1624 wrote to memory of 1368	1624	cmd.exe	140
PID 1624 wrote to memory of 1368	1624	cmd.exe	140
PID 1624 wrote to memory of 1368	1624	cmd.exe	140
PID 1808 wrote to memory of 1072	1808	images.exe	141
PID 1808 wrote to memory of 1072	1808	images.exe	141
PID 1808 wrote to memory of 1072	1808	images.exe	141
PID 1808 wrote to memory of 1072	1808	images.exe	141
PID 1072 wrote to memory of 328	1072	cmd.exe	143
PID 1072 wrote to memory of 328	1072	cmd.exe	143
PID 1072 wrote to memory of 328	1072	cmd.exe	143
PID 1072 wrote to memory of 328	1072	cmd.exe	143
PID 1808 wrote to memory of 1144	1808	images.exe	144
PID 1808 wrote to memory of 1144	1808	images.exe	144
PID 1808 wrote to memory of 1144	1808	images.exe	144
PID 1808 wrote to memory of 1144	1808	images.exe	144
PID 1144 wrote to memory of 2028	1144	cmd.exe	146
PID 1144 wrote to memory of 2028	1144	cmd.exe	146
PID 1144 wrote to memory of 2028	1144	cmd.exe	146
PID 1144 wrote to memory of 2028	1144	cmd.exe	146
PID 1808 wrote to memory of 1432	1808	images.exe	147
PID 1808 wrote to memory of 1432	1808	images.exe	147
PID 1808 wrote to memory of 1432	1808	images.exe	147
PID 1808 wrote to memory of 1432	1808	images.exe	147
PID 1432 wrote to memory of 532	1432	cmd.exe	149
PID 1432 wrote to memory of 532	1432	cmd.exe	149
PID 1432 wrote to memory of 532	1432	cmd.exe	149
PID 1432 wrote to memory of 532	1432	cmd.exe	149
PID 1808 wrote to memory of 1404	1808	images.exe	150
PID 1808 wrote to memory of 1404	1808	images.exe	150
PID 1808 wrote to memory of 1404	1808	images.exe	150
PID 1808 wrote to memory of 1404	1808	images.exe	150
PID 1404 wrote to memory of 1248	1404	cmd.exe	152
PID 1404 wrote to memory of 1248	1404	cmd.exe	152
PID 1404 wrote to memory of 1248	1404	cmd.exe	152
PID 1404 wrote to memory of 1248	1404	cmd.exe	152
PID 1808 wrote to memory of 1836	1808	images.exe	153
PID 1808 wrote to memory of 1836	1808	images.exe	153
PID 1808 wrote to memory of 1836	1808	images.exe	153
PID 1808 wrote to memory of 1836	1808	images.exe	153
PID 1836 wrote to memory of 1360	1836	cmd.exe	155
PID 1836 wrote to memory of 1360	1836	cmd.exe	155
PID 1836 wrote to memory of 1360	1836	cmd.exe	155
PID 1836 wrote to memory of 1360	1836	cmd.exe	155
PID 1808 wrote to memory of 1248	1808	images.exe	156
PID 1808 wrote to memory of 1248	1808	images.exe	156
PID 1808 wrote to memory of 1248	1808	images.exe	156
PID 1808 wrote to memory of 1248	1808	images.exe	156
PID 1248 wrote to memory of 1288	1248	cmd.exe	158
PID 1248 wrote to memory of 1288	1248	cmd.exe	158
PID 1248 wrote to memory of 1288	1248	cmd.exe	158
PID 1248 wrote to memory of 1288	1248	cmd.exe	158
PID 1808 wrote to memory of 1620	1808	images.exe	159
PID 1808 wrote to memory of 1620	1808	images.exe	159
PID 1808 wrote to memory of 1620	1808	images.exe	159
PID 1808 wrote to memory of 1620	1808	images.exe	159
PID 1620 wrote to memory of 1532	1620	cmd.exe	161
PID 1620 wrote to memory of 1532	1620	cmd.exe	161
PID 1620 wrote to memory of 1532	1620	cmd.exe	161
PID 1620 wrote to memory of 1532	1620	cmd.exe	161
PID 1808 wrote to memory of 1596	1808	images.exe	162
PID 1808 wrote to memory of 1596	1808	images.exe	162
PID 1808 wrote to memory of 1596	1808	images.exe	162
PID 1808 wrote to memory of 1596	1808	images.exe	162
PID 1596 wrote to memory of 960	1596	cmd.exe	164
PID 1596 wrote to memory of 960	1596	cmd.exe	164
PID 1596 wrote to memory of 960	1596	cmd.exe	164
PID 1596 wrote to memory of 960	1596	cmd.exe	164
PID 1808 wrote to memory of 1892	1808	images.exe	165
PID 1808 wrote to memory of 1892	1808	images.exe	165
PID 1808 wrote to memory of 1892	1808	images.exe	165
PID 1808 wrote to memory of 1892	1808	images.exe	165
PID 1892 wrote to memory of 1288	1892	cmd.exe	167
PID 1892 wrote to memory of 1288	1892	cmd.exe	167
PID 1892 wrote to memory of 1288	1892	cmd.exe	167
PID 1892 wrote to memory of 1288	1892	cmd.exe	167
PID 1808 wrote to memory of 1368	1808	images.exe	168
PID 1808 wrote to memory of 1368	1808	images.exe	168
PID 1808 wrote to memory of 1368	1808	images.exe	168
PID 1808 wrote to memory of 1368	1808	images.exe	168
PID 1368 wrote to memory of 1288	1368	cmd.exe	170
PID 1368 wrote to memory of 1288	1368	cmd.exe	170
PID 1368 wrote to memory of 1288	1368	cmd.exe	170
PID 1368 wrote to memory of 1288	1368	cmd.exe	170
PID 1808 wrote to memory of 2060	1808	images.exe	171
PID 1808 wrote to memory of 2060	1808	images.exe	171
PID 1808 wrote to memory of 2060	1808	images.exe	171
PID 1808 wrote to memory of 2060	1808	images.exe	171
PID 2060 wrote to memory of 2088	2060	cmd.exe	173
PID 2060 wrote to memory of 2088	2060	cmd.exe	173
PID 2060 wrote to memory of 2088	2060	cmd.exe	173
PID 2060 wrote to memory of 2088	2060	cmd.exe	173
PID 1808 wrote to memory of 2104	1808	images.exe	174
PID 1808 wrote to memory of 2104	1808	images.exe	174
PID 1808 wrote to memory of 2104	1808	images.exe	174
PID 1808 wrote to memory of 2104	1808	images.exe	174
PID 2104 wrote to memory of 2132	2104	cmd.exe	176
PID 2104 wrote to memory of 2132	2104	cmd.exe	176
PID 2104 wrote to memory of 2132	2104	cmd.exe	176
PID 2104 wrote to memory of 2132	2104	cmd.exe	176
PID 1808 wrote to memory of 2148	1808	images.exe	177
PID 1808 wrote to memory of 2148	1808	images.exe	177
PID 1808 wrote to memory of 2148	1808	images.exe	177
PID 1808 wrote to memory of 2148	1808	images.exe	177
PID 2148 wrote to memory of 2176	2148	cmd.exe	179
PID 2148 wrote to memory of 2176	2148	cmd.exe	179
PID 2148 wrote to memory of 2176	2148	cmd.exe	179
PID 2148 wrote to memory of 2176	2148	cmd.exe	179
PID 1808 wrote to memory of 2192	1808	images.exe	180
PID 1808 wrote to memory of 2192	1808	images.exe	180
PID 1808 wrote to memory of 2192	1808	images.exe	180
PID 1808 wrote to memory of 2192	1808	images.exe	180
PID 2192 wrote to memory of 2220	2192	cmd.exe	182
PID 2192 wrote to memory of 2220	2192	cmd.exe	182
PID 2192 wrote to memory of 2220	2192	cmd.exe	182
PID 2192 wrote to memory of 2220	2192	cmd.exe	182
PID 1808 wrote to memory of 2236	1808	images.exe	183
PID 1808 wrote to memory of 2236	1808	images.exe	183
PID 1808 wrote to memory of 2236	1808	images.exe	183
PID 1808 wrote to memory of 2236	1808	images.exe	183
PID 2236 wrote to memory of 2264	2236	cmd.exe	185
PID 2236 wrote to memory of 2264	2236	cmd.exe	185
PID 2236 wrote to memory of 2264	2236	cmd.exe	185
PID 2236 wrote to memory of 2264	2236	cmd.exe	185
PID 1808 wrote to memory of 2280	1808	images.exe	186
PID 1808 wrote to memory of 2280	1808	images.exe	186
PID 1808 wrote to memory of 2280	1808	images.exe	186
PID 1808 wrote to memory of 2280	1808	images.exe	186
PID 2280 wrote to memory of 2308	2280	cmd.exe	188
PID 2280 wrote to memory of 2308	2280	cmd.exe	188
PID 2280 wrote to memory of 2308	2280	cmd.exe	188
PID 2280 wrote to memory of 2308	2280	cmd.exe	188
PID 1808 wrote to memory of 2324	1808	images.exe	189
PID 1808 wrote to memory of 2324	1808	images.exe	189
PID 1808 wrote to memory of 2324	1808	images.exe	189
PID 1808 wrote to memory of 2324	1808	images.exe	189
PID 2324 wrote to memory of 2352	2324	cmd.exe	191
PID 2324 wrote to memory of 2352	2324	cmd.exe	191
PID 2324 wrote to memory of 2352	2324	cmd.exe	191
PID 2324 wrote to memory of 2352	2324	cmd.exe	191
PID 1808 wrote to memory of 2368	1808	images.exe	192
PID 1808 wrote to memory of 2368	1808	images.exe	192
PID 1808 wrote to memory of 2368	1808	images.exe	192
PID 1808 wrote to memory of 2368	1808	images.exe	192
PID 2368 wrote to memory of 2396	2368	cmd.exe	194
PID 2368 wrote to memory of 2396	2368	cmd.exe	194
PID 2368 wrote to memory of 2396	2368	cmd.exe	194
PID 2368 wrote to memory of 2396	2368	cmd.exe	194
PID 1808 wrote to memory of 2412	1808	images.exe	195
PID 1808 wrote to memory of 2412	1808	images.exe	195
PID 1808 wrote to memory of 2412	1808	images.exe	195
PID 1808 wrote to memory of 2412	1808	images.exe	195
PID 2412 wrote to memory of 2440	2412	cmd.exe	197
PID 2412 wrote to memory of 2440	2412	cmd.exe	197
PID 2412 wrote to memory of 2440	2412	cmd.exe	197
PID 2412 wrote to memory of 2440	2412	cmd.exe	197
PID 1808 wrote to memory of 2456	1808	images.exe	198
PID 1808 wrote to memory of 2456	1808	images.exe	198
PID 1808 wrote to memory of 2456	1808	images.exe	198
PID 1808 wrote to memory of 2456	1808	images.exe	198
PID 2456 wrote to memory of 2484	2456	cmd.exe	200
PID 2456 wrote to memory of 2484	2456	cmd.exe	200
PID 2456 wrote to memory of 2484	2456	cmd.exe	200
PID 2456 wrote to memory of 2484	2456	cmd.exe	200
PID 1808 wrote to memory of 2500	1808	images.exe	201
PID 1808 wrote to memory of 2500	1808	images.exe	201
PID 1808 wrote to memory of 2500	1808	images.exe	201
PID 1808 wrote to memory of 2500	1808	images.exe	201
PID 2500 wrote to memory of 2528	2500	cmd.exe	203
PID 2500 wrote to memory of 2528	2500	cmd.exe	203
PID 2500 wrote to memory of 2528	2500	cmd.exe	203
PID 2500 wrote to memory of 2528	2500	cmd.exe	203
PID 1808 wrote to memory of 2544	1808	images.exe	204
PID 1808 wrote to memory of 2544	1808	images.exe	204
PID 1808 wrote to memory of 2544	1808	images.exe	204
PID 1808 wrote to memory of 2544	1808	images.exe	204
PID 2544 wrote to memory of 2572	2544	cmd.exe	206
PID 2544 wrote to memory of 2572	2544	cmd.exe	206
PID 2544 wrote to memory of 2572	2544	cmd.exe	206
PID 2544 wrote to memory of 2572	2544	cmd.exe	206
PID 1808 wrote to memory of 2588	1808	images.exe	207
PID 1808 wrote to memory of 2588	1808	images.exe	207
PID 1808 wrote to memory of 2588	1808	images.exe	207
PID 1808 wrote to memory of 2588	1808	images.exe	207
PID 2588 wrote to memory of 2616	2588	cmd.exe	209
PID 2588 wrote to memory of 2616	2588	cmd.exe	209
PID 2588 wrote to memory of 2616	2588	cmd.exe	209
PID 2588 wrote to memory of 2616	2588	cmd.exe	209
PID 1808 wrote to memory of 2632	1808	images.exe	210
PID 1808 wrote to memory of 2632	1808	images.exe	210
PID 1808 wrote to memory of 2632	1808	images.exe	210
PID 1808 wrote to memory of 2632	1808	images.exe	210
PID 2632 wrote to memory of 2660	2632	cmd.exe	212
PID 2632 wrote to memory of 2660	2632	cmd.exe	212
PID 2632 wrote to memory of 2660	2632	cmd.exe	212
PID 2632 wrote to memory of 2660	2632	cmd.exe	212
PID 1808 wrote to memory of 2676	1808	images.exe	213
PID 1808 wrote to memory of 2676	1808	images.exe	213
PID 1808 wrote to memory of 2676	1808	images.exe	213
PID 1808 wrote to memory of 2676	1808	images.exe	213
PID 2676 wrote to memory of 2704	2676	cmd.exe	215
PID 2676 wrote to memory of 2704	2676	cmd.exe	215
PID 2676 wrote to memory of 2704	2676	cmd.exe	215
PID 2676 wrote to memory of 2704	2676	cmd.exe	215
PID 1808 wrote to memory of 2720	1808	images.exe	216
PID 1808 wrote to memory of 2720	1808	images.exe	216
PID 1808 wrote to memory of 2720	1808	images.exe	216
PID 1808 wrote to memory of 2720	1808	images.exe	216
PID 2720 wrote to memory of 2748	2720	cmd.exe	218
PID 2720 wrote to memory of 2748	2720	cmd.exe	218
PID 2720 wrote to memory of 2748	2720	cmd.exe	218
PID 2720 wrote to memory of 2748	2720	cmd.exe	218
PID 1808 wrote to memory of 2764	1808	images.exe	219
PID 1808 wrote to memory of 2764	1808	images.exe	219
PID 1808 wrote to memory of 2764	1808	images.exe	219
PID 1808 wrote to memory of 2764	1808	images.exe	219
PID 2764 wrote to memory of 2792	2764	cmd.exe	221
PID 2764 wrote to memory of 2792	2764	cmd.exe	221
PID 2764 wrote to memory of 2792	2764	cmd.exe	221
PID 2764 wrote to memory of 2792	2764	cmd.exe	221
PID 1808 wrote to memory of 2808	1808	images.exe	222
PID 1808 wrote to memory of 2808	1808	images.exe	222
PID 1808 wrote to memory of 2808	1808	images.exe	222
PID 1808 wrote to memory of 2808	1808	images.exe	222
PID 2808 wrote to memory of 2836	2808	cmd.exe	224
PID 2808 wrote to memory of 2836	2808	cmd.exe	224
PID 2808 wrote to memory of 2836	2808	cmd.exe	224
PID 2808 wrote to memory of 2836	2808	cmd.exe	224
PID 1808 wrote to memory of 2852	1808	images.exe	225
PID 1808 wrote to memory of 2852	1808	images.exe	225
PID 1808 wrote to memory of 2852	1808	images.exe	225
PID 1808 wrote to memory of 2852	1808	images.exe	225
PID 2852 wrote to memory of 2880	2852	cmd.exe	227
PID 2852 wrote to memory of 2880	2852	cmd.exe	227
PID 2852 wrote to memory of 2880	2852	cmd.exe	227
PID 2852 wrote to memory of 2880	2852	cmd.exe	227
PID 1808 wrote to memory of 2896	1808	images.exe	228
PID 1808 wrote to memory of 2896	1808	images.exe	228
PID 1808 wrote to memory of 2896	1808	images.exe	228
PID 1808 wrote to memory of 2896	1808	images.exe	228
PID 2896 wrote to memory of 2924	2896	cmd.exe	230
PID 2896 wrote to memory of 2924	2896	cmd.exe	230
PID 2896 wrote to memory of 2924	2896	cmd.exe	230
PID 2896 wrote to memory of 2924	2896	cmd.exe	230
PID 1808 wrote to memory of 2940	1808	images.exe	231
PID 1808 wrote to memory of 2940	1808	images.exe	231
PID 1808 wrote to memory of 2940	1808	images.exe	231
PID 1808 wrote to memory of 2940	1808	images.exe	231
PID 2940 wrote to memory of 2968	2940	cmd.exe	233
PID 2940 wrote to memory of 2968	2940	cmd.exe	233
PID 2940 wrote to memory of 2968	2940	cmd.exe	233
PID 2940 wrote to memory of 2968	2940	cmd.exe	233
PID 1808 wrote to memory of 2984	1808	images.exe	234
PID 1808 wrote to memory of 2984	1808	images.exe	234
PID 1808 wrote to memory of 2984	1808	images.exe	234
PID 1808 wrote to memory of 2984	1808	images.exe	234
PID 2984 wrote to memory of 3012	2984	cmd.exe	236
PID 2984 wrote to memory of 3012	2984	cmd.exe	236
PID 2984 wrote to memory of 3012	2984	cmd.exe	236
PID 2984 wrote to memory of 3012	2984	cmd.exe	236
PID 1808 wrote to memory of 3028	1808	images.exe	237
PID 1808 wrote to memory of 3028	1808	images.exe	237
PID 1808 wrote to memory of 3028	1808	images.exe	237
PID 1808 wrote to memory of 3028	1808	images.exe	237
PID 3028 wrote to memory of 3056	3028	cmd.exe	239
PID 3028 wrote to memory of 3056	3028	cmd.exe	239
PID 3028 wrote to memory of 3056	3028	cmd.exe	239
PID 3028 wrote to memory of 3056	3028	cmd.exe	239
PID 1808 wrote to memory of 2052	1808	images.exe	240
PID 1808 wrote to memory of 2052	1808	images.exe	240
PID 1808 wrote to memory of 2052	1808	images.exe	240
PID 1808 wrote to memory of 2052	1808	images.exe	240
PID 2052 wrote to memory of 676	2052	cmd.exe	242
PID 2052 wrote to memory of 676	2052	cmd.exe	242
PID 2052 wrote to memory of 676	2052	cmd.exe	242
PID 2052 wrote to memory of 676	2052	cmd.exe	242
PID 1808 wrote to memory of 2092	1808	images.exe	243
PID 1808 wrote to memory of 2092	1808	images.exe	243
PID 1808 wrote to memory of 2092	1808	images.exe	243
PID 1808 wrote to memory of 2092	1808	images.exe	243
PID 2092 wrote to memory of 2120	2092	cmd.exe	245
PID 2092 wrote to memory of 2120	2092	cmd.exe	245
PID 2092 wrote to memory of 2120	2092	cmd.exe	245
PID 2092 wrote to memory of 2120	2092	cmd.exe	245
PID 1808 wrote to memory of 2128	1808	images.exe	246
PID 1808 wrote to memory of 2128	1808	images.exe	246
PID 1808 wrote to memory of 2128	1808	images.exe	246
PID 1808 wrote to memory of 2128	1808	images.exe	246
PID 2128 wrote to memory of 2180	2128	cmd.exe	248
PID 2128 wrote to memory of 2180	2128	cmd.exe	248
PID 2128 wrote to memory of 2180	2128	cmd.exe	248
PID 2128 wrote to memory of 2180	2128	cmd.exe	248
PID 1808 wrote to memory of 2168	1808	images.exe	249
PID 1808 wrote to memory of 2168	1808	images.exe	249
PID 1808 wrote to memory of 2168	1808	images.exe	249
PID 1808 wrote to memory of 2168	1808	images.exe	249
PID 2168 wrote to memory of 2196	2168	cmd.exe	251
PID 2168 wrote to memory of 2196	2168	cmd.exe	251
PID 2168 wrote to memory of 2196	2168	cmd.exe	251
PID 2168 wrote to memory of 2196	2168	cmd.exe	251
PID 1808 wrote to memory of 1736	1808	images.exe	252
PID 1808 wrote to memory of 1736	1808	images.exe	252
PID 1808 wrote to memory of 1736	1808	images.exe	252
PID 1808 wrote to memory of 1736	1808	images.exe	252
PID 1736 wrote to memory of 2256	1736	cmd.exe	254
PID 1736 wrote to memory of 2256	1736	cmd.exe	254
PID 1736 wrote to memory of 2256	1736	cmd.exe	254
PID 1736 wrote to memory of 2256	1736	cmd.exe	254
PID 1808 wrote to memory of 1848	1808	images.exe	255
PID 1808 wrote to memory of 1848	1808	images.exe	255
PID 1808 wrote to memory of 1848	1808	images.exe	255
PID 1808 wrote to memory of 1848	1808	images.exe	255
PID 1848 wrote to memory of 2284	1848	cmd.exe	257
PID 1848 wrote to memory of 2284	1848	cmd.exe	257
PID 1848 wrote to memory of 2284	1848	cmd.exe	257
PID 1848 wrote to memory of 2284	1848	cmd.exe	257
PID 1808 wrote to memory of 2340	1808	images.exe	258
PID 1808 wrote to memory of 2340	1808	images.exe	258
PID 1808 wrote to memory of 2340	1808	images.exe	258
PID 1808 wrote to memory of 2340	1808	images.exe	258
PID 2340 wrote to memory of 2336	2340	cmd.exe	260
PID 2340 wrote to memory of 2336	2340	cmd.exe	260
PID 2340 wrote to memory of 2336	2340	cmd.exe	260
PID 2340 wrote to memory of 2336	2340	cmd.exe	260
PID 1808 wrote to memory of 2400	1808	images.exe	261
PID 1808 wrote to memory of 2400	1808	images.exe	261
PID 1808 wrote to memory of 2400	1808	images.exe	261
PID 1808 wrote to memory of 2400	1808	images.exe	261
PID 2400 wrote to memory of 2420	2400	cmd.exe	263
PID 2400 wrote to memory of 2420	2400	cmd.exe	263
PID 2400 wrote to memory of 2420	2400	cmd.exe	263
PID 2400 wrote to memory of 2420	2400	cmd.exe	263
PID 1808 wrote to memory of 2444	1808	images.exe	264
PID 1808 wrote to memory of 2444	1808	images.exe	264
PID 1808 wrote to memory of 2444	1808	images.exe	264
PID 1808 wrote to memory of 2444	1808	images.exe	264
PID 2444 wrote to memory of 2472	2444	cmd.exe	266
PID 2444 wrote to memory of 2472	2444	cmd.exe	266
PID 2444 wrote to memory of 2472	2444	cmd.exe	266
PID 2444 wrote to memory of 2472	2444	cmd.exe	266
PID 1808 wrote to memory of 2480	1808	images.exe	267
PID 1808 wrote to memory of 2480	1808	images.exe	267
PID 1808 wrote to memory of 2480	1808	images.exe	267
PID 1808 wrote to memory of 2480	1808	images.exe	267
PID 2480 wrote to memory of 2532	2480	cmd.exe	269
PID 2480 wrote to memory of 2532	2480	cmd.exe	269
PID 2480 wrote to memory of 2532	2480	cmd.exe	269
PID 2480 wrote to memory of 2532	2480	cmd.exe	269

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Users\Admin\AppData\Roaming\system\images.exe
    "C:\Users\Admin\AppData\Roaming\system\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:280
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1540
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1308
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:844
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:564
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:564
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:272
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:972
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:528
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1552
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:952
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1232
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1144
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1432
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1404
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1836
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1248
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1892
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2148
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2192
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2324
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2456
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2484
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2500
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2632
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2676
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2764
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2808
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1736
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2340
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2400
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2472
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-31-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1720-27-0x0000000000090000-0x00000000000E4000-memory.dmp

Filesize
336KB

Download
memory/1720-30-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-28-0x0000000000090000-0x00000000000E4000-memory.dmp

Filesize
336KB

Download
memory/1808-12-0x0000000074E60000-0x000000007554E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-20-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/1808-13-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2036-0-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-5-0x0000000000430000-0x0000000000436000-memory.dmp

Filesize
24KB

Download
memory/2036-1-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/2036-3-0x0000000000310000-0x0000000000327000-memory.dmp

Filesize
92KB

Download
memory/2036-4-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download