Malware Analysis Report

2024-10-24 16:30

Sample ID 201106-dv6jg3j51e
Target Booking Confirmation 110492024951 - copy - PDF.exe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
Tags
persistence spyware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878

Threat Level: Likely malicious

The file Booking Confirmation 110492024951 - copy - PDF.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence spyware

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-06 17:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-06 17:38

Reported

2020-11-06 17:40

Platform

win7v20201028

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1808 set thread context of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 672 wrote to memory of 1808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1808 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1584 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1584 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1972 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1808 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1744 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 944 wrote to memory of 280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1980 wrote to memory of 1912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1924 wrote to memory of 1416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1524 wrote to memory of 1832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1312 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1312 wrote to memory of 1544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1564 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1564 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1564 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1364 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 968 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1540 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 1824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1544 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1544 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1544 wrote to memory of 844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1796 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 876 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 876 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 876 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 772 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2036 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1832 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1832 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1832 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1832 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 564 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 564 wrote to memory of 272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 872 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 872 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 872 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2012 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1824 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 576 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 576 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 576 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 972 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 528 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 816 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 816 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1904 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 952 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1232 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1232 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1632 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1624 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1072 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1144 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1432 wrote to memory of 532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1404 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1836 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1620 wrote to memory of 1532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1596 wrote to memory of 960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1892 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1368 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1368 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1368 wrote to memory of 1288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 2088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2148 wrote to memory of 2176 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2236 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2280 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2324 wrote to memory of 2352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2368 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2412 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2456 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2500 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2544 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2588 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2632 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2676 wrote to memory of 2704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2764 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2808 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2852 wrote to memory of 2880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2896 wrote to memory of 2924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2984 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3028 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2092 wrote to memory of 2120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2128 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2168 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1736 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1848 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2340 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2340 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2340 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2400 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2444 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1808 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2480 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Users\Admin\AppData\Roaming\system\images.exe

"C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ivy20.urown.cloud udp
N/A 79.134.225.37:5200 ivy20.urown.cloud tcp

Files

memory/2036-0-0x0000000074EE0000-0x00000000755CE000-memory.dmp

memory/2036-1-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/2036-3-0x0000000000310000-0x0000000000327000-memory.dmp

memory/2036-4-0x0000000000380000-0x000000000039F000-memory.dmp

memory/2036-5-0x0000000000430000-0x0000000000436000-memory.dmp

memory/1120-6-0x0000000000000000-mapping.dmp

memory/672-7-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 f867516ec5e600fb4af968c71b9a2a80
SHA1 701970eb6a98cbc8661562155796f0491cf36efe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512 d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

\Users\Admin\AppData\Roaming\system\images.exe

MD5 f867516ec5e600fb4af968c71b9a2a80
SHA1 701970eb6a98cbc8661562155796f0491cf36efe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512 d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

memory/1808-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 f867516ec5e600fb4af968c71b9a2a80
SHA1 701970eb6a98cbc8661562155796f0491cf36efe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512 d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

memory/1808-12-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/1808-13-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/1584-18-0x0000000000000000-mapping.dmp

memory/1508-19-0x0000000000000000-mapping.dmp

memory/1808-20-0x00000000007C0000-0x00000000007CA000-memory.dmp

memory/1972-21-0x0000000000000000-mapping.dmp

memory/1688-22-0x0000000000000000-mapping.dmp

memory/1744-23-0x0000000000000000-mapping.dmp

memory/1532-24-0x0000000000000000-mapping.dmp

memory/1720-26-0x000000000044C7BE-mapping.dmp

memory/1720-27-0x0000000000090000-0x00000000000E4000-memory.dmp

memory/944-29-0x0000000000000000-mapping.dmp

memory/1720-28-0x0000000000090000-0x00000000000E4000-memory.dmp

memory/1720-30-0x0000000074E60000-0x000000007554E000-memory.dmp

memory/1720-31-0x0000000000090000-0x0000000000092000-memory.dmp

memory/280-33-0x0000000000000000-mapping.dmp

memory/1980-34-0x0000000000000000-mapping.dmp

memory/1912-35-0x0000000000000000-mapping.dmp

memory/1924-36-0x0000000000000000-mapping.dmp

memory/1416-37-0x0000000000000000-mapping.dmp

memory/1524-38-0x0000000000000000-mapping.dmp

memory/1832-39-0x0000000000000000-mapping.dmp

memory/1312-40-0x0000000000000000-mapping.dmp

memory/1544-41-0x0000000000000000-mapping.dmp

memory/1564-42-0x0000000000000000-mapping.dmp

memory/1964-43-0x0000000000000000-mapping.dmp

memory/1364-44-0x0000000000000000-mapping.dmp

memory/1644-45-0x0000000000000000-mapping.dmp

memory/968-46-0x0000000000000000-mapping.dmp

memory/272-47-0x0000000000000000-mapping.dmp

memory/1540-48-0x0000000000000000-mapping.dmp

memory/1892-49-0x0000000000000000-mapping.dmp

memory/760-50-0x0000000000000000-mapping.dmp

memory/2028-51-0x0000000000000000-mapping.dmp

memory/1308-52-0x0000000000000000-mapping.dmp

memory/1824-53-0x0000000000000000-mapping.dmp

memory/1544-54-0x0000000000000000-mapping.dmp

memory/844-55-0x0000000000000000-mapping.dmp

memory/1796-56-0x0000000000000000-mapping.dmp

memory/564-57-0x0000000000000000-mapping.dmp

memory/876-58-0x0000000000000000-mapping.dmp

memory/532-59-0x0000000000000000-mapping.dmp

memory/772-60-0x0000000000000000-mapping.dmp

memory/1892-61-0x0000000000000000-mapping.dmp

memory/2036-62-0x0000000000000000-mapping.dmp

memory/1404-63-0x0000000000000000-mapping.dmp

memory/1832-64-0x0000000000000000-mapping.dmp

memory/900-65-0x0000000000000000-mapping.dmp

memory/1964-66-0x0000000000000000-mapping.dmp

memory/1688-67-0x0000000000000000-mapping.dmp

memory/564-68-0x0000000000000000-mapping.dmp

memory/272-69-0x0000000000000000-mapping.dmp

memory/872-70-0x0000000000000000-mapping.dmp

memory/1892-71-0x0000000000000000-mapping.dmp

memory/2012-72-0x0000000000000000-mapping.dmp

memory/1360-73-0x0000000000000000-mapping.dmp

memory/1824-74-0x0000000000000000-mapping.dmp

memory/788-75-0x0000000000000000-mapping.dmp

memory/576-76-0x0000000000000000-mapping.dmp

memory/1532-77-0x0000000000000000-mapping.dmp

memory/972-78-0x0000000000000000-mapping.dmp

memory/2008-79-0x0000000000000000-mapping.dmp

memory/1912-80-0x0000000000000000-mapping.dmp

memory/952-81-0x0000000000000000-mapping.dmp

memory/528-82-0x0000000000000000-mapping.dmp

memory/1552-83-0x0000000000000000-mapping.dmp

memory/816-84-0x0000000000000000-mapping.dmp

memory/1772-85-0x0000000000000000-mapping.dmp

memory/1904-86-0x0000000000000000-mapping.dmp

memory/1260-87-0x0000000000000000-mapping.dmp

memory/952-88-0x0000000000000000-mapping.dmp

memory/1248-89-0x0000000000000000-mapping.dmp

memory/1232-90-0x0000000000000000-mapping.dmp

memory/960-91-0x0000000000000000-mapping.dmp

memory/1632-92-0x0000000000000000-mapping.dmp

memory/1260-93-0x0000000000000000-mapping.dmp

memory/1624-94-0x0000000000000000-mapping.dmp

memory/1368-95-0x0000000000000000-mapping.dmp

memory/1072-96-0x0000000000000000-mapping.dmp

memory/328-97-0x0000000000000000-mapping.dmp

memory/1144-98-0x0000000000000000-mapping.dmp

memory/2028-99-0x0000000000000000-mapping.dmp

memory/1432-100-0x0000000000000000-mapping.dmp

memory/532-101-0x0000000000000000-mapping.dmp

memory/1404-102-0x0000000000000000-mapping.dmp

memory/1248-103-0x0000000000000000-mapping.dmp

memory/1836-104-0x0000000000000000-mapping.dmp

memory/1360-105-0x0000000000000000-mapping.dmp

memory/1248-106-0x0000000000000000-mapping.dmp

memory/1288-107-0x0000000000000000-mapping.dmp

memory/1620-108-0x0000000000000000-mapping.dmp

memory/1532-109-0x0000000000000000-mapping.dmp

memory/1596-110-0x0000000000000000-mapping.dmp

memory/960-111-0x0000000000000000-mapping.dmp

memory/1892-112-0x0000000000000000-mapping.dmp

memory/1288-113-0x0000000000000000-mapping.dmp

memory/1368-114-0x0000000000000000-mapping.dmp

memory/1288-115-0x0000000000000000-mapping.dmp

memory/2060-116-0x0000000000000000-mapping.dmp

memory/2088-117-0x0000000000000000-mapping.dmp

memory/2104-118-0x0000000000000000-mapping.dmp

memory/2132-119-0x0000000000000000-mapping.dmp

memory/2148-120-0x0000000000000000-mapping.dmp

memory/2176-121-0x0000000000000000-mapping.dmp

memory/2192-122-0x0000000000000000-mapping.dmp

memory/2220-123-0x0000000000000000-mapping.dmp

memory/2236-124-0x0000000000000000-mapping.dmp

memory/2264-125-0x0000000000000000-mapping.dmp

memory/2280-126-0x0000000000000000-mapping.dmp

memory/2308-127-0x0000000000000000-mapping.dmp

memory/2324-128-0x0000000000000000-mapping.dmp

memory/2352-129-0x0000000000000000-mapping.dmp

memory/2368-130-0x0000000000000000-mapping.dmp

memory/2396-131-0x0000000000000000-mapping.dmp

memory/2412-132-0x0000000000000000-mapping.dmp

memory/2440-133-0x0000000000000000-mapping.dmp

memory/2456-134-0x0000000000000000-mapping.dmp

memory/2484-135-0x0000000000000000-mapping.dmp

memory/2500-136-0x0000000000000000-mapping.dmp

memory/2528-137-0x0000000000000000-mapping.dmp

memory/2544-138-0x0000000000000000-mapping.dmp

memory/2572-139-0x0000000000000000-mapping.dmp

memory/2588-140-0x0000000000000000-mapping.dmp

memory/2616-141-0x0000000000000000-mapping.dmp

memory/2632-142-0x0000000000000000-mapping.dmp

memory/2660-143-0x0000000000000000-mapping.dmp

memory/2676-144-0x0000000000000000-mapping.dmp

memory/2704-145-0x0000000000000000-mapping.dmp

memory/2720-146-0x0000000000000000-mapping.dmp

memory/2748-147-0x0000000000000000-mapping.dmp

memory/2764-148-0x0000000000000000-mapping.dmp

memory/2792-149-0x0000000000000000-mapping.dmp

memory/2808-150-0x0000000000000000-mapping.dmp

memory/2836-151-0x0000000000000000-mapping.dmp

memory/2852-152-0x0000000000000000-mapping.dmp

memory/2880-153-0x0000000000000000-mapping.dmp

memory/2896-154-0x0000000000000000-mapping.dmp

memory/2924-155-0x0000000000000000-mapping.dmp

memory/2940-156-0x0000000000000000-mapping.dmp

memory/2968-157-0x0000000000000000-mapping.dmp

memory/2984-158-0x0000000000000000-mapping.dmp

memory/3012-159-0x0000000000000000-mapping.dmp

memory/3028-160-0x0000000000000000-mapping.dmp

memory/3056-161-0x0000000000000000-mapping.dmp

memory/2052-162-0x0000000000000000-mapping.dmp

memory/676-163-0x0000000000000000-mapping.dmp

memory/2092-164-0x0000000000000000-mapping.dmp

memory/2120-165-0x0000000000000000-mapping.dmp

memory/2128-166-0x0000000000000000-mapping.dmp

memory/2180-167-0x0000000000000000-mapping.dmp

memory/2168-168-0x0000000000000000-mapping.dmp

memory/2196-169-0x0000000000000000-mapping.dmp

memory/1736-170-0x0000000000000000-mapping.dmp

memory/2256-171-0x0000000000000000-mapping.dmp

memory/1848-172-0x0000000000000000-mapping.dmp

memory/2284-173-0x0000000000000000-mapping.dmp

memory/2340-174-0x0000000000000000-mapping.dmp

memory/2336-175-0x0000000000000000-mapping.dmp

memory/2400-176-0x0000000000000000-mapping.dmp

memory/2420-177-0x0000000000000000-mapping.dmp

memory/2444-178-0x0000000000000000-mapping.dmp

memory/2472-179-0x0000000000000000-mapping.dmp

memory/2480-180-0x0000000000000000-mapping.dmp

memory/2532-181-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-06 17:38

Reported

2020-11-06 17:40

Platform

win10v20201028

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1248 set thread context of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\system\images.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 368 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 368 wrote to memory of 1248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\system\images.exe
PID 1248 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2768 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 3556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1248 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3996 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3996 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3996 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4088 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4088 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4088 wrote to memory of 4464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4476 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4476 wrote to memory of 4500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3720 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3720 wrote to memory of 4628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 192 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 192 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 192 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2312 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2224 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5112 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3640 wrote to memory of 416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2248 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2256 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 68 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 68 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 68 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 68 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 68 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 68 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4736 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4736 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 796 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 796 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2272 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2272 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1264 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1264 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3144 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3144 wrote to memory of 1596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1412 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1412 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3540 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3540 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4032 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4032 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4032 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2720 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3796 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3796 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3796 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 208 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 208 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 208 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4796 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4796 wrote to memory of 4720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3460 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3460 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3460 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 728 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 728 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 728 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2156 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2192 wrote to memory of 504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 576 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 576 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 576 wrote to memory of 4840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 632 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 632 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 632 wrote to memory of 364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4700 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4700 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4968 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4968 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 644 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 644 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1316 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1316 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2364 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4308 wrote to memory of 4388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3956 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3956 wrote to memory of 4488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1612 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4524 wrote to memory of 204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4596 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4596 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2052 wrote to memory of 3400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3740 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3740 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4084 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4084 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 412 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 412 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 412 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 412 wrote to memory of 4860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3096 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3096 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3096 wrote to memory of 360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 732 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 732 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 732 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 492 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 492 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 492 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 492 wrote to memory of 1556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4068 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4068 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1220 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1220 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2824 wrote to memory of 4252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4548 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4548 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4548 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2756 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 188 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 188 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 188 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 188 wrote to memory of 200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4684 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4684 wrote to memory of 3372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4112 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4112 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4112 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3232 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3232 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3232 wrote to memory of 3344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4820 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4820 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4820 wrote to memory of 3888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4236 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4236 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 756 wrote to memory of 1272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3756 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1560 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1560 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2460 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3836 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3836 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3836 wrote to memory of 4564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 8 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 8 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5056 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5056 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 4176 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4176 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4176 wrote to memory of 1436 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3364 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3472 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3472 wrote to memory of 1112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3860 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3228 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1248 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 844 N/A C:\Users\Admin\AppData\Roaming\system\images.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 844 wrote to memory of 4740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe

"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110492024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Users\Admin\AppData\Roaming\system\images.exe

"C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ivy20.urown.cloud udp
N/A 79.134.225.37:5200 ivy20.urown.cloud tcp

Files

memory/4688-0-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/4688-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/4688-3-0x00000000010D0000-0x00000000010E7000-memory.dmp

memory/4688-4-0x0000000005020000-0x0000000005021000-memory.dmp

memory/4688-5-0x00000000050C0000-0x00000000050DF000-memory.dmp

memory/4688-6-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

memory/4688-7-0x00000000078E0000-0x00000000078E1000-memory.dmp

memory/4688-8-0x0000000002920000-0x0000000002926000-memory.dmp

memory/4688-9-0x0000000007C80000-0x0000000007C81000-memory.dmp

memory/4688-10-0x0000000008B20000-0x0000000008B21000-memory.dmp

memory/752-11-0x0000000000000000-mapping.dmp

memory/368-12-0x0000000000000000-mapping.dmp

memory/1248-13-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 f867516ec5e600fb4af968c71b9a2a80
SHA1 701970eb6a98cbc8661562155796f0491cf36efe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512 d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5 f867516ec5e600fb4af968c71b9a2a80
SHA1 701970eb6a98cbc8661562155796f0491cf36efe
SHA256 84e2088ea38d600fd562925b840117483cf4683573e92106c23c19bdfae2f878
SHA512 d694a4898a7bca9aa1f9bfa20ca38c2768a608afc80b8dfa9a7bbbdc0740f7bab7514813530cec3ea66ce2b89cb916fcbbc94214d4859b8c98742e08ef486c41

memory/1248-16-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/2104-27-0x0000000000000000-mapping.dmp

memory/2504-28-0x0000000000000000-mapping.dmp

memory/1248-29-0x0000000009AD0000-0x0000000009ADA000-memory.dmp

memory/2768-30-0x0000000000000000-mapping.dmp

memory/1248-31-0x0000000009B10000-0x0000000009B11000-memory.dmp

memory/3556-32-0x0000000000000000-mapping.dmp

memory/3996-33-0x0000000000000000-mapping.dmp

memory/3984-34-0x0000000000000000-mapping.dmp

memory/4088-35-0x0000000000000000-mapping.dmp

memory/4464-36-0x0000000000000000-mapping.dmp

memory/2808-38-0x000000000044C7BE-mapping.dmp

memory/2808-37-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2808-39-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2808-40-0x0000000073430000-0x0000000073B1E000-memory.dmp

memory/4476-44-0x0000000000000000-mapping.dmp

memory/4500-46-0x0000000000000000-mapping.dmp

memory/3720-49-0x0000000000000000-mapping.dmp

memory/4628-50-0x0000000000000000-mapping.dmp

memory/192-51-0x0000000000000000-mapping.dmp

memory/1960-52-0x0000000000000000-mapping.dmp

memory/2312-53-0x0000000000000000-mapping.dmp

memory/2772-54-0x0000000000000000-mapping.dmp

memory/2224-55-0x0000000000000000-mapping.dmp

memory/4600-56-0x0000000000000000-mapping.dmp

memory/2808-57-0x00000000071E0000-0x00000000071E1000-memory.dmp

memory/5112-58-0x0000000000000000-mapping.dmp

memory/3292-59-0x0000000000000000-mapping.dmp

memory/3640-60-0x0000000000000000-mapping.dmp

memory/2808-61-0x0000000007260000-0x0000000007261000-memory.dmp

memory/416-62-0x0000000000000000-mapping.dmp

memory/2248-63-0x0000000000000000-mapping.dmp

memory/3728-64-0x0000000000000000-mapping.dmp

memory/2256-65-0x0000000000000000-mapping.dmp

memory/2084-66-0x0000000000000000-mapping.dmp

memory/4772-67-0x0000000000000000-mapping.dmp

memory/508-68-0x0000000000000000-mapping.dmp

memory/68-69-0x0000000000000000-mapping.dmp

memory/4844-70-0x0000000000000000-mapping.dmp

memory/4736-71-0x0000000000000000-mapping.dmp

memory/892-72-0x0000000000000000-mapping.dmp

memory/796-73-0x0000000000000000-mapping.dmp

memory/3620-74-0x0000000000000000-mapping.dmp

memory/2272-75-0x0000000000000000-mapping.dmp

memory/2464-76-0x0000000000000000-mapping.dmp

memory/1264-77-0x0000000000000000-mapping.dmp

memory/2236-78-0x0000000000000000-mapping.dmp

memory/3144-79-0x0000000000000000-mapping.dmp

memory/1596-80-0x0000000000000000-mapping.dmp

memory/1412-81-0x0000000000000000-mapping.dmp

memory/1236-82-0x0000000000000000-mapping.dmp

memory/2552-83-0x0000000000000000-mapping.dmp

memory/3052-84-0x0000000000000000-mapping.dmp

memory/3540-85-0x0000000000000000-mapping.dmp

memory/4036-86-0x0000000000000000-mapping.dmp

memory/4032-87-0x0000000000000000-mapping.dmp

memory/4092-88-0x0000000000000000-mapping.dmp

memory/2720-89-0x0000000000000000-mapping.dmp

memory/4492-90-0x0000000000000000-mapping.dmp

memory/4504-91-0x0000000000000000-mapping.dmp

memory/4208-92-0x0000000000000000-mapping.dmp

memory/3796-93-0x0000000000000000-mapping.dmp

memory/4400-94-0x0000000000000000-mapping.dmp

memory/208-95-0x0000000000000000-mapping.dmp

memory/2260-96-0x0000000000000000-mapping.dmp

memory/4796-97-0x0000000000000000-mapping.dmp

memory/4720-98-0x0000000000000000-mapping.dmp

memory/3460-99-0x0000000000000000-mapping.dmp

memory/3636-100-0x0000000000000000-mapping.dmp

memory/728-101-0x0000000000000000-mapping.dmp

memory/4896-102-0x0000000000000000-mapping.dmp

memory/2156-103-0x0000000000000000-mapping.dmp

memory/4764-104-0x0000000000000000-mapping.dmp

memory/2192-105-0x0000000000000000-mapping.dmp

memory/504-106-0x0000000000000000-mapping.dmp

memory/576-107-0x0000000000000000-mapping.dmp

memory/4840-108-0x0000000000000000-mapping.dmp

memory/632-109-0x0000000000000000-mapping.dmp

memory/364-110-0x0000000000000000-mapping.dmp

memory/4700-111-0x0000000000000000-mapping.dmp

memory/4788-112-0x0000000000000000-mapping.dmp

memory/4968-113-0x0000000000000000-mapping.dmp

memory/4108-114-0x0000000000000000-mapping.dmp

memory/644-115-0x0000000000000000-mapping.dmp

memory/1548-116-0x0000000000000000-mapping.dmp

memory/1316-117-0x0000000000000000-mapping.dmp

memory/2068-118-0x0000000000000000-mapping.dmp

memory/2364-119-0x0000000000000000-mapping.dmp

memory/2356-120-0x0000000000000000-mapping.dmp

memory/4308-121-0x0000000000000000-mapping.dmp

memory/4388-122-0x0000000000000000-mapping.dmp

memory/3956-123-0x0000000000000000-mapping.dmp

memory/4488-124-0x0000000000000000-mapping.dmp

memory/1612-125-0x0000000000000000-mapping.dmp

memory/1864-126-0x0000000000000000-mapping.dmp

memory/4524-127-0x0000000000000000-mapping.dmp

memory/204-128-0x0000000000000000-mapping.dmp

memory/4596-129-0x0000000000000000-mapping.dmp

memory/3568-130-0x0000000000000000-mapping.dmp

memory/2052-131-0x0000000000000000-mapping.dmp

memory/3400-132-0x0000000000000000-mapping.dmp

memory/3740-133-0x0000000000000000-mapping.dmp

memory/3428-134-0x0000000000000000-mapping.dmp

memory/4084-135-0x0000000000000000-mapping.dmp

memory/4760-136-0x0000000000000000-mapping.dmp

memory/2160-137-0x0000000000000000-mapping.dmp

memory/572-138-0x0000000000000000-mapping.dmp

memory/412-139-0x0000000000000000-mapping.dmp

memory/4860-140-0x0000000000000000-mapping.dmp

memory/3096-141-0x0000000000000000-mapping.dmp

memory/360-142-0x0000000000000000-mapping.dmp

memory/732-143-0x0000000000000000-mapping.dmp

memory/2448-144-0x0000000000000000-mapping.dmp

memory/492-145-0x0000000000000000-mapping.dmp

memory/1556-146-0x0000000000000000-mapping.dmp

memory/4068-147-0x0000000000000000-mapping.dmp

memory/1920-148-0x0000000000000000-mapping.dmp

memory/1220-149-0x0000000000000000-mapping.dmp

memory/2508-150-0x0000000000000000-mapping.dmp

memory/2824-151-0x0000000000000000-mapping.dmp

memory/4252-152-0x0000000000000000-mapping.dmp

memory/4548-153-0x0000000000000000-mapping.dmp

memory/4496-154-0x0000000000000000-mapping.dmp

memory/2756-155-0x0000000000000000-mapping.dmp

memory/2932-156-0x0000000000000000-mapping.dmp

memory/188-157-0x0000000000000000-mapping.dmp

memory/200-158-0x0000000000000000-mapping.dmp

memory/4684-159-0x0000000000000000-mapping.dmp

memory/3372-160-0x0000000000000000-mapping.dmp

memory/4112-161-0x0000000000000000-mapping.dmp

memory/5100-162-0x0000000000000000-mapping.dmp

memory/3232-163-0x0000000000000000-mapping.dmp

memory/3344-164-0x0000000000000000-mapping.dmp

memory/4820-165-0x0000000000000000-mapping.dmp

memory/3888-166-0x0000000000000000-mapping.dmp

memory/4236-167-0x0000000000000000-mapping.dmp

memory/4704-168-0x0000000000000000-mapping.dmp

memory/756-169-0x0000000000000000-mapping.dmp

memory/1272-170-0x0000000000000000-mapping.dmp

memory/3756-171-0x0000000000000000-mapping.dmp

memory/5000-172-0x0000000000000000-mapping.dmp

memory/1560-173-0x0000000000000000-mapping.dmp

memory/1760-174-0x0000000000000000-mapping.dmp

memory/2460-175-0x0000000000000000-mapping.dmp

memory/4040-176-0x0000000000000000-mapping.dmp

memory/3836-177-0x0000000000000000-mapping.dmp

memory/4564-178-0x0000000000000000-mapping.dmp

memory/8-179-0x0000000000000000-mapping.dmp

memory/2888-180-0x0000000000000000-mapping.dmp

memory/5056-181-0x0000000000000000-mapping.dmp

memory/4936-182-0x0000000000000000-mapping.dmp

memory/4176-183-0x0000000000000000-mapping.dmp

memory/1436-184-0x0000000000000000-mapping.dmp

memory/3364-185-0x0000000000000000-mapping.dmp

memory/3908-186-0x0000000000000000-mapping.dmp

memory/3472-187-0x0000000000000000-mapping.dmp

memory/1112-188-0x0000000000000000-mapping.dmp

memory/3860-189-0x0000000000000000-mapping.dmp

memory/4816-190-0x0000000000000000-mapping.dmp

memory/3228-191-0x0000000000000000-mapping.dmp

memory/1004-192-0x0000000000000000-mapping.dmp

memory/844-193-0x0000000000000000-mapping.dmp

memory/4740-194-0x0000000000000000-mapping.dmp