Analysis Overview
SHA256
84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
Threat Level: Likely malicious
The file Booking Confirmation 110492024951 - copy - PDF.exe was found to be: Likely malicious.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-06 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-06 17:38
Reported
2020-11-06 17:40
Platform
win7v20201028
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1808 set thread context of 1720 | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Users\Admin\AppData\Roaming\system\images.exe
"C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ivy20.urown.cloud | udp |
| N/A | 79.134.225.37:5200 | ivy20.urown.cloud | tcp |
Files
memory/2036-0-0x0000000074EE0000-0x00000000755CE000-memory.dmp
memory/2036-1-0x00000000010E0000-0x00000000010E1000-memory.dmp
memory/2036-3-0x0000000000310000-0x0000000000327000-memory.dmp
memory/2036-4-0x0000000000380000-0x000000000039F000-memory.dmp
memory/2036-5-0x0000000000430000-0x0000000000436000-memory.dmp
memory/1120-6-0x0000000000000000-mapping.dmp
memory/672-7-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\system\images.exe
| MD5 | f867516ec5e600fb4af968c71b9a2a80 |
| SHA1 | 701970eb6a98cbc8661562155796f0491cf36efe |
| SHA256 | 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878 |
| SHA512 | d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41 |
\Users\Admin\AppData\Roaming\system\images.exe
| MD5 | f867516ec5e600fb4af968c71b9a2a80 |
| SHA1 | 701970eb6a98cbc8661562155796f0491cf36efe |
| SHA256 | 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878 |
| SHA512 | d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41 |
memory/1808-10-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\system\images.exe
| MD5 | f867516ec5e600fb4af968c71b9a2a80 |
| SHA1 | 701970eb6a98cbc8661562155796f0491cf36efe |
| SHA256 | 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878 |
| SHA512 | d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41 |
memory/1808-12-0x0000000074E60000-0x000000007554E000-memory.dmp
memory/1808-13-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/1584-18-0x0000000000000000-mapping.dmp
memory/1508-19-0x0000000000000000-mapping.dmp
memory/1808-20-0x00000000007C0000-0x00000000007CA000-memory.dmp
memory/1972-21-0x0000000000000000-mapping.dmp
memory/1688-22-0x0000000000000000-mapping.dmp
memory/1744-23-0x0000000000000000-mapping.dmp
memory/1532-24-0x0000000000000000-mapping.dmp
memory/1720-26-0x000000000044C7BE-mapping.dmp
memory/1720-27-0x0000000000090000-0x00000000000E4000-memory.dmp
memory/944-29-0x0000000000000000-mapping.dmp
memory/1720-28-0x0000000000090000-0x00000000000E4000-memory.dmp
memory/1720-30-0x0000000074E60000-0x000000007554E000-memory.dmp
memory/1720-31-0x0000000000090000-0x0000000000092000-memory.dmp
memory/280-33-0x0000000000000000-mapping.dmp
memory/1980-34-0x0000000000000000-mapping.dmp
memory/1912-35-0x0000000000000000-mapping.dmp
memory/1924-36-0x0000000000000000-mapping.dmp
memory/1416-37-0x0000000000000000-mapping.dmp
memory/1524-38-0x0000000000000000-mapping.dmp
memory/1832-39-0x0000000000000000-mapping.dmp
memory/1312-40-0x0000000000000000-mapping.dmp
memory/1544-41-0x0000000000000000-mapping.dmp
memory/1564-42-0x0000000000000000-mapping.dmp
memory/1964-43-0x0000000000000000-mapping.dmp
memory/1364-44-0x0000000000000000-mapping.dmp
memory/1644-45-0x0000000000000000-mapping.dmp
memory/968-46-0x0000000000000000-mapping.dmp
memory/272-47-0x0000000000000000-mapping.dmp
memory/1540-48-0x0000000000000000-mapping.dmp
memory/1892-49-0x0000000000000000-mapping.dmp
memory/760-50-0x0000000000000000-mapping.dmp
memory/2028-51-0x0000000000000000-mapping.dmp
memory/1308-52-0x0000000000000000-mapping.dmp
memory/1824-53-0x0000000000000000-mapping.dmp
memory/1544-54-0x0000000000000000-mapping.dmp
memory/844-55-0x0000000000000000-mapping.dmp
memory/1796-56-0x0000000000000000-mapping.dmp
memory/564-57-0x0000000000000000-mapping.dmp
memory/876-58-0x0000000000000000-mapping.dmp
memory/532-59-0x0000000000000000-mapping.dmp
memory/772-60-0x0000000000000000-mapping.dmp
memory/1892-61-0x0000000000000000-mapping.dmp
memory/2036-62-0x0000000000000000-mapping.dmp
memory/1404-63-0x0000000000000000-mapping.dmp
memory/1832-64-0x0000000000000000-mapping.dmp
memory/900-65-0x0000000000000000-mapping.dmp
memory/1964-66-0x0000000000000000-mapping.dmp
memory/1688-67-0x0000000000000000-mapping.dmp
memory/564-68-0x0000000000000000-mapping.dmp
memory/272-69-0x0000000000000000-mapping.dmp
memory/872-70-0x0000000000000000-mapping.dmp
memory/1892-71-0x0000000000000000-mapping.dmp
memory/2012-72-0x0000000000000000-mapping.dmp
memory/1360-73-0x0000000000000000-mapping.dmp
memory/1824-74-0x0000000000000000-mapping.dmp
memory/788-75-0x0000000000000000-mapping.dmp
memory/576-76-0x0000000000000000-mapping.dmp
memory/1532-77-0x0000000000000000-mapping.dmp
memory/972-78-0x0000000000000000-mapping.dmp
memory/2008-79-0x0000000000000000-mapping.dmp
memory/1912-80-0x0000000000000000-mapping.dmp
memory/952-81-0x0000000000000000-mapping.dmp
memory/528-82-0x0000000000000000-mapping.dmp
memory/1552-83-0x0000000000000000-mapping.dmp
memory/816-84-0x0000000000000000-mapping.dmp
memory/1772-85-0x0000000000000000-mapping.dmp
memory/1904-86-0x0000000000000000-mapping.dmp
memory/1260-87-0x0000000000000000-mapping.dmp
memory/952-88-0x0000000000000000-mapping.dmp
memory/1248-89-0x0000000000000000-mapping.dmp
memory/1232-90-0x0000000000000000-mapping.dmp
memory/960-91-0x0000000000000000-mapping.dmp
memory/1632-92-0x0000000000000000-mapping.dmp
memory/1260-93-0x0000000000000000-mapping.dmp
memory/1624-94-0x0000000000000000-mapping.dmp
memory/1368-95-0x0000000000000000-mapping.dmp
memory/1072-96-0x0000000000000000-mapping.dmp
memory/328-97-0x0000000000000000-mapping.dmp
memory/1144-98-0x0000000000000000-mapping.dmp
memory/2028-99-0x0000000000000000-mapping.dmp
memory/1432-100-0x0000000000000000-mapping.dmp
memory/532-101-0x0000000000000000-mapping.dmp
memory/1404-102-0x0000000000000000-mapping.dmp
memory/1248-103-0x0000000000000000-mapping.dmp
memory/1836-104-0x0000000000000000-mapping.dmp
memory/1360-105-0x0000000000000000-mapping.dmp
memory/1248-106-0x0000000000000000-mapping.dmp
memory/1288-107-0x0000000000000000-mapping.dmp
memory/1620-108-0x0000000000000000-mapping.dmp
memory/1532-109-0x0000000000000000-mapping.dmp
memory/1596-110-0x0000000000000000-mapping.dmp
memory/960-111-0x0000000000000000-mapping.dmp
memory/1892-112-0x0000000000000000-mapping.dmp
memory/1288-113-0x0000000000000000-mapping.dmp
memory/1368-114-0x0000000000000000-mapping.dmp
memory/1288-115-0x0000000000000000-mapping.dmp
memory/2060-116-0x0000000000000000-mapping.dmp
memory/2088-117-0x0000000000000000-mapping.dmp
memory/2104-118-0x0000000000000000-mapping.dmp
memory/2132-119-0x0000000000000000-mapping.dmp
memory/2148-120-0x0000000000000000-mapping.dmp
memory/2176-121-0x0000000000000000-mapping.dmp
memory/2192-122-0x0000000000000000-mapping.dmp
memory/2220-123-0x0000000000000000-mapping.dmp
memory/2236-124-0x0000000000000000-mapping.dmp
memory/2264-125-0x0000000000000000-mapping.dmp
memory/2280-126-0x0000000000000000-mapping.dmp
memory/2308-127-0x0000000000000000-mapping.dmp
memory/2324-128-0x0000000000000000-mapping.dmp
memory/2352-129-0x0000000000000000-mapping.dmp
memory/2368-130-0x0000000000000000-mapping.dmp
memory/2396-131-0x0000000000000000-mapping.dmp
memory/2412-132-0x0000000000000000-mapping.dmp
memory/2440-133-0x0000000000000000-mapping.dmp
memory/2456-134-0x0000000000000000-mapping.dmp
memory/2484-135-0x0000000000000000-mapping.dmp
memory/2500-136-0x0000000000000000-mapping.dmp
memory/2528-137-0x0000000000000000-mapping.dmp
memory/2544-138-0x0000000000000000-mapping.dmp
memory/2572-139-0x0000000000000000-mapping.dmp
memory/2588-140-0x0000000000000000-mapping.dmp
memory/2616-141-0x0000000000000000-mapping.dmp
memory/2632-142-0x0000000000000000-mapping.dmp
memory/2660-143-0x0000000000000000-mapping.dmp
memory/2676-144-0x0000000000000000-mapping.dmp
memory/2704-145-0x0000000000000000-mapping.dmp
memory/2720-146-0x0000000000000000-mapping.dmp
memory/2748-147-0x0000000000000000-mapping.dmp
memory/2764-148-0x0000000000000000-mapping.dmp
memory/2792-149-0x0000000000000000-mapping.dmp
memory/2808-150-0x0000000000000000-mapping.dmp
memory/2836-151-0x0000000000000000-mapping.dmp
memory/2852-152-0x0000000000000000-mapping.dmp
memory/2880-153-0x0000000000000000-mapping.dmp
memory/2896-154-0x0000000000000000-mapping.dmp
memory/2924-155-0x0000000000000000-mapping.dmp
memory/2940-156-0x0000000000000000-mapping.dmp
memory/2968-157-0x0000000000000000-mapping.dmp
memory/2984-158-0x0000000000000000-mapping.dmp
memory/3012-159-0x0000000000000000-mapping.dmp
memory/3028-160-0x0000000000000000-mapping.dmp
memory/3056-161-0x0000000000000000-mapping.dmp
memory/2052-162-0x0000000000000000-mapping.dmp
memory/676-163-0x0000000000000000-mapping.dmp
memory/2092-164-0x0000000000000000-mapping.dmp
memory/2120-165-0x0000000000000000-mapping.dmp
memory/2128-166-0x0000000000000000-mapping.dmp
memory/2180-167-0x0000000000000000-mapping.dmp
memory/2168-168-0x0000000000000000-mapping.dmp
memory/2196-169-0x0000000000000000-mapping.dmp
memory/1736-170-0x0000000000000000-mapping.dmp
memory/2256-171-0x0000000000000000-mapping.dmp
memory/1848-172-0x0000000000000000-mapping.dmp
memory/2284-173-0x0000000000000000-mapping.dmp
memory/2340-174-0x0000000000000000-mapping.dmp
memory/2336-175-0x0000000000000000-mapping.dmp
memory/2400-176-0x0000000000000000-mapping.dmp
memory/2420-177-0x0000000000000000-mapping.dmp
memory/2444-178-0x0000000000000000-mapping.dmp
memory/2472-179-0x0000000000000000-mapping.dmp
memory/2480-180-0x0000000000000000-mapping.dmp
memory/2532-181-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-06 17:38
Reported
2020-11-06 17:40
Platform
win10v20201028
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1248 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\system\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Users\Admin\AppData\Roaming\system\images.exe
"C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ivy20.urown.cloud | udp |
| N/A | 79.134.225.37:5200 | ivy20.urown.cloud | tcp |
Files
memory/4688-0-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/4688-1-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/4688-3-0x00000000010D0000-0x00000000010E7000-memory.dmp
memory/4688-4-0x0000000005020000-0x0000000005021000-memory.dmp
memory/4688-5-0x00000000050C0000-0x00000000050DF000-memory.dmp
memory/4688-6-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
memory/4688-7-0x00000000078E0000-0x00000000078E1000-memory.dmp
memory/4688-8-0x0000000002920000-0x0000000002926000-memory.dmp
memory/4688-9-0x0000000007C80000-0x0000000007C81000-memory.dmp
memory/4688-10-0x0000000008B20000-0x0000000008B21000-memory.dmp
memory/752-11-0x0000000000000000-mapping.dmp
memory/368-12-0x0000000000000000-mapping.dmp
memory/1248-13-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\system\images.exe
| MD5 | f867516ec5e600fb4af968c71b9a2a80 |
| SHA1 | 701970eb6a98cbc8661562155796f0491cf36efe |
| SHA256 | 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878 |
| SHA512 | d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41 |
C:\Users\Admin\AppData\Roaming\system\images.exe
| MD5 | f867516ec5e600fb4af968c71b9a2a80 |
| SHA1 | 701970eb6a98cbc8661562155796f0491cf36efe |
| SHA256 | 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878 |
| SHA512 | d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41 |
memory/1248-16-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/2104-27-0x0000000000000000-mapping.dmp
memory/2504-28-0x0000000000000000-mapping.dmp
memory/1248-29-0x0000000009AD0000-0x0000000009ADA000-memory.dmp
memory/2768-30-0x0000000000000000-mapping.dmp
memory/1248-31-0x0000000009B10000-0x0000000009B11000-memory.dmp
memory/3556-32-0x0000000000000000-mapping.dmp
memory/3996-33-0x0000000000000000-mapping.dmp
memory/3984-34-0x0000000000000000-mapping.dmp
memory/4088-35-0x0000000000000000-mapping.dmp
memory/4464-36-0x0000000000000000-mapping.dmp
memory/2808-38-0x000000000044C7BE-mapping.dmp
memory/2808-37-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2808-39-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2808-40-0x0000000073430000-0x0000000073B1E000-memory.dmp
memory/4476-44-0x0000000000000000-mapping.dmp
memory/4500-46-0x0000000000000000-mapping.dmp
memory/3720-49-0x0000000000000000-mapping.dmp
memory/4628-50-0x0000000000000000-mapping.dmp
memory/192-51-0x0000000000000000-mapping.dmp
memory/1960-52-0x0000000000000000-mapping.dmp
memory/2312-53-0x0000000000000000-mapping.dmp
memory/2772-54-0x0000000000000000-mapping.dmp
memory/2224-55-0x0000000000000000-mapping.dmp
memory/4600-56-0x0000000000000000-mapping.dmp
memory/2808-57-0x00000000071E0000-0x00000000071E1000-memory.dmp
memory/5112-58-0x0000000000000000-mapping.dmp
memory/3292-59-0x0000000000000000-mapping.dmp
memory/3640-60-0x0000000000000000-mapping.dmp
memory/2808-61-0x0000000007260000-0x0000000007261000-memory.dmp
memory/416-62-0x0000000000000000-mapping.dmp
memory/2248-63-0x0000000000000000-mapping.dmp
memory/3728-64-0x0000000000000000-mapping.dmp
memory/2256-65-0x0000000000000000-mapping.dmp
memory/2084-66-0x0000000000000000-mapping.dmp
memory/4772-67-0x0000000000000000-mapping.dmp
memory/508-68-0x0000000000000000-mapping.dmp
memory/68-69-0x0000000000000000-mapping.dmp
memory/4844-70-0x0000000000000000-mapping.dmp
memory/4736-71-0x0000000000000000-mapping.dmp
memory/892-72-0x0000000000000000-mapping.dmp
memory/796-73-0x0000000000000000-mapping.dmp
memory/3620-74-0x0000000000000000-mapping.dmp
memory/2272-75-0x0000000000000000-mapping.dmp
memory/2464-76-0x0000000000000000-mapping.dmp
memory/1264-77-0x0000000000000000-mapping.dmp
memory/2236-78-0x0000000000000000-mapping.dmp
memory/3144-79-0x0000000000000000-mapping.dmp
memory/1596-80-0x0000000000000000-mapping.dmp
memory/1412-81-0x0000000000000000-mapping.dmp
memory/1236-82-0x0000000000000000-mapping.dmp
memory/2552-83-0x0000000000000000-mapping.dmp
memory/3052-84-0x0000000000000000-mapping.dmp
memory/3540-85-0x0000000000000000-mapping.dmp
memory/4036-86-0x0000000000000000-mapping.dmp
memory/4032-87-0x0000000000000000-mapping.dmp
memory/4092-88-0x0000000000000000-mapping.dmp
memory/2720-89-0x0000000000000000-mapping.dmp
memory/4492-90-0x0000000000000000-mapping.dmp
memory/4504-91-0x0000000000000000-mapping.dmp
memory/4208-92-0x0000000000000000-mapping.dmp
memory/3796-93-0x0000000000000000-mapping.dmp
memory/4400-94-0x0000000000000000-mapping.dmp
memory/208-95-0x0000000000000000-mapping.dmp
memory/2260-96-0x0000000000000000-mapping.dmp
memory/4796-97-0x0000000000000000-mapping.dmp
memory/4720-98-0x0000000000000000-mapping.dmp
memory/3460-99-0x0000000000000000-mapping.dmp
memory/3636-100-0x0000000000000000-mapping.dmp
memory/728-101-0x0000000000000000-mapping.dmp
memory/4896-102-0x0000000000000000-mapping.dmp
memory/2156-103-0x0000000000000000-mapping.dmp
memory/4764-104-0x0000000000000000-mapping.dmp
memory/2192-105-0x0000000000000000-mapping.dmp
memory/504-106-0x0000000000000000-mapping.dmp
memory/576-107-0x0000000000000000-mapping.dmp
memory/4840-108-0x0000000000000000-mapping.dmp
memory/632-109-0x0000000000000000-mapping.dmp
memory/364-110-0x0000000000000000-mapping.dmp
memory/4700-111-0x0000000000000000-mapping.dmp
memory/4788-112-0x0000000000000000-mapping.dmp
memory/4968-113-0x0000000000000000-mapping.dmp
memory/4108-114-0x0000000000000000-mapping.dmp
memory/644-115-0x0000000000000000-mapping.dmp
memory/1548-116-0x0000000000000000-mapping.dmp
memory/1316-117-0x0000000000000000-mapping.dmp
memory/2068-118-0x0000000000000000-mapping.dmp
memory/2364-119-0x0000000000000000-mapping.dmp
memory/2356-120-0x0000000000000000-mapping.dmp
memory/4308-121-0x0000000000000000-mapping.dmp
memory/4388-122-0x0000000000000000-mapping.dmp
memory/3956-123-0x0000000000000000-mapping.dmp
memory/4488-124-0x0000000000000000-mapping.dmp
memory/1612-125-0x0000000000000000-mapping.dmp
memory/1864-126-0x0000000000000000-mapping.dmp
memory/4524-127-0x0000000000000000-mapping.dmp
memory/204-128-0x0000000000000000-mapping.dmp
memory/4596-129-0x0000000000000000-mapping.dmp
memory/3568-130-0x0000000000000000-mapping.dmp
memory/2052-131-0x0000000000000000-mapping.dmp
memory/3400-132-0x0000000000000000-mapping.dmp
memory/3740-133-0x0000000000000000-mapping.dmp
memory/3428-134-0x0000000000000000-mapping.dmp
memory/4084-135-0x0000000000000000-mapping.dmp
memory/4760-136-0x0000000000000000-mapping.dmp
memory/2160-137-0x0000000000000000-mapping.dmp
memory/572-138-0x0000000000000000-mapping.dmp
memory/412-139-0x0000000000000000-mapping.dmp
memory/4860-140-0x0000000000000000-mapping.dmp
memory/3096-141-0x0000000000000000-mapping.dmp
memory/360-142-0x0000000000000000-mapping.dmp
memory/732-143-0x0000000000000000-mapping.dmp
memory/2448-144-0x0000000000000000-mapping.dmp
memory/492-145-0x0000000000000000-mapping.dmp
memory/1556-146-0x0000000000000000-mapping.dmp
memory/4068-147-0x0000000000000000-mapping.dmp
memory/1920-148-0x0000000000000000-mapping.dmp
memory/1220-149-0x0000000000000000-mapping.dmp
memory/2508-150-0x0000000000000000-mapping.dmp
memory/2824-151-0x0000000000000000-mapping.dmp
memory/4252-152-0x0000000000000000-mapping.dmp
memory/4548-153-0x0000000000000000-mapping.dmp
memory/4496-154-0x0000000000000000-mapping.dmp
memory/2756-155-0x0000000000000000-mapping.dmp
memory/2932-156-0x0000000000000000-mapping.dmp
memory/188-157-0x0000000000000000-mapping.dmp
memory/200-158-0x0000000000000000-mapping.dmp
memory/4684-159-0x0000000000000000-mapping.dmp
memory/3372-160-0x0000000000000000-mapping.dmp
memory/4112-161-0x0000000000000000-mapping.dmp
memory/5100-162-0x0000000000000000-mapping.dmp
memory/3232-163-0x0000000000000000-mapping.dmp
memory/3344-164-0x0000000000000000-mapping.dmp
memory/4820-165-0x0000000000000000-mapping.dmp
memory/3888-166-0x0000000000000000-mapping.dmp
memory/4236-167-0x0000000000000000-mapping.dmp
memory/4704-168-0x0000000000000000-mapping.dmp
memory/756-169-0x0000000000000000-mapping.dmp
memory/1272-170-0x0000000000000000-mapping.dmp
memory/3756-171-0x0000000000000000-mapping.dmp
memory/5000-172-0x0000000000000000-mapping.dmp
memory/1560-173-0x0000000000000000-mapping.dmp
memory/1760-174-0x0000000000000000-mapping.dmp
memory/2460-175-0x0000000000000000-mapping.dmp
memory/4040-176-0x0000000000000000-mapping.dmp
memory/3836-177-0x0000000000000000-mapping.dmp
memory/4564-178-0x0000000000000000-mapping.dmp
memory/8-179-0x0000000000000000-mapping.dmp
memory/2888-180-0x0000000000000000-mapping.dmp
memory/5056-181-0x0000000000000000-mapping.dmp
memory/4936-182-0x0000000000000000-mapping.dmp
memory/4176-183-0x0000000000000000-mapping.dmp
memory/1436-184-0x0000000000000000-mapping.dmp
memory/3364-185-0x0000000000000000-mapping.dmp
memory/3908-186-0x0000000000000000-mapping.dmp
memory/3472-187-0x0000000000000000-mapping.dmp
memory/1112-188-0x0000000000000000-mapping.dmp
memory/3860-189-0x0000000000000000-mapping.dmp
memory/4816-190-0x0000000000000000-mapping.dmp
memory/3228-191-0x0000000000000000-mapping.dmp
memory/1004-192-0x0000000000000000-mapping.dmp
memory/844-193-0x0000000000000000-mapping.dmp
memory/4740-194-0x0000000000000000-mapping.dmp