hiverat | f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Booking Confirmation 110992024951 - copy - PDF.exe
Size

852KB
MD5

76365cf942438345266042ed4f88b48b
SHA1

5e83c5e24bb0a923a8988ca2ac39f2a1656d052d
SHA256

f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964
SHA512

76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1368-26-0x000000000044C7BE-mapping.dmp	family_hiverat
behavioral1/memory/1368-25-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1368-27-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1368-29-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

300 images.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

776 cmd.exe

pid	process
300	images.exe

pid	process
776	cmd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

images.exe

description pid process target process

PID 300 set thread context of 1368 300 images.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.exeimages.exeInstallUtil.exe

pid process

1960 Booking Confirmation 110992024951 - copy - PDF.exe
300 images.exe
1368 InstallUtil.exe

description	pid	process	target process
PID 300 set thread context of 1368	300	images.exe	InstallUtil.exe

pid	process
1960	Booking Confirmation 110992024951 - copy - PDF.exe
300	images.exe
1368	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.exeimages.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1960	Booking Confirmation 110992024951 - copy - PDF.exe
Token: SeDebugPrivilege	300	images.exe
Token: SeDebugPrivilege	1368	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.execmd.exeimages.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 1376	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 1376	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 1376	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 1376	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 776	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 776	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 776	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 1960 wrote to memory of 776	1960	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 776 wrote to memory of 300	776	cmd.exe	images.exe
PID 300 wrote to memory of 1176	300	images.exe	cmd.exe
PID 300 wrote to memory of 1176	300	images.exe	cmd.exe
PID 300 wrote to memory of 1176	300	images.exe	cmd.exe
PID 300 wrote to memory of 1176	300	images.exe	cmd.exe
PID 1176 wrote to memory of 1628	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1628	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1628	1176	cmd.exe	reg.exe
PID 1176 wrote to memory of 1628	1176	cmd.exe	reg.exe
PID 300 wrote to memory of 1700	300	images.exe	cmd.exe
PID 300 wrote to memory of 1700	300	images.exe	cmd.exe
PID 300 wrote to memory of 1700	300	images.exe	cmd.exe
PID 300 wrote to memory of 1700	300	images.exe	cmd.exe
PID 1700 wrote to memory of 1088	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1088	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1088	1700	cmd.exe	reg.exe
PID 1700 wrote to memory of 1088	1700	cmd.exe	reg.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1368	300	images.exe	InstallUtil.exe
PID 300 wrote to memory of 1480	300	images.exe	cmd.exe
PID 300 wrote to memory of 1480	300	images.exe	cmd.exe
PID 300 wrote to memory of 1480	300	images.exe	cmd.exe
PID 300 wrote to memory of 1480	300	images.exe	cmd.exe
PID 1480 wrote to memory of 1120	1480	cmd.exe	reg.exe
PID 1480 wrote to memory of 1120	1480	cmd.exe	reg.exe
PID 1480 wrote to memory of 1120	1480	cmd.exe	reg.exe
PID 1480 wrote to memory of 1120	1480	cmd.exe	reg.exe
PID 300 wrote to memory of 956	300	images.exe	cmd.exe
PID 300 wrote to memory of 956	300	images.exe	cmd.exe
PID 300 wrote to memory of 956	300	images.exe	cmd.exe
PID 300 wrote to memory of 956	300	images.exe	cmd.exe
PID 956 wrote to memory of 572	956	cmd.exe	reg.exe
PID 956 wrote to memory of 572	956	cmd.exe	reg.exe
PID 956 wrote to memory of 572	956	cmd.exe	reg.exe
PID 956 wrote to memory of 572	956	cmd.exe	reg.exe
PID 300 wrote to memory of 328	300	images.exe	cmd.exe
PID 300 wrote to memory of 328	300	images.exe	cmd.exe
PID 300 wrote to memory of 328	300	images.exe	cmd.exe
PID 300 wrote to memory of 328	300	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Users\Admin\AppData\Roaming\system\images.exe
    "C:\Users\Admin\AppData\Roaming\system\images.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1780
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1996
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1648
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1288
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1180
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:816
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2000
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1172
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1348
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1120
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1844
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1164
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1672
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1112
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1328
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:904
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1940
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1116
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2060
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2196
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2328
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2372
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2812
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2084
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:1652
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2300
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
        5⤵
        
        PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system\images.exe

MD5
76365cf942438345266042ed4f88b48b

SHA1
5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256
f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512
76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Download Submit
C:\Users\Admin\AppData\Roaming\system\images.exe

MD5
76365cf942438345266042ed4f88b48b

SHA1
5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256
f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512
76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Download Submit
\Users\Admin\AppData\Roaming\system\images.exe

MD5
76365cf942438345266042ed4f88b48b

SHA1
5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256
f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512
76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Download Submit
memory/300-13-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/300-20-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/300-10-0x0000000000000000-mapping.dmp

Download
memory/300-12-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/304-58-0x0000000000000000-mapping.dmp

Download
memory/316-40-0x0000000000000000-mapping.dmp

Download
memory/328-34-0x0000000000000000-mapping.dmp

Download
memory/572-47-0x0000000000000000-mapping.dmp

Download
memory/572-33-0x0000000000000000-mapping.dmp

Download
memory/760-60-0x0000000000000000-mapping.dmp

Download
memory/768-64-0x0000000000000000-mapping.dmp

Download
memory/776-7-0x0000000000000000-mapping.dmp

Download
memory/800-53-0x0000000000000000-mapping.dmp

Download
memory/816-50-0x0000000000000000-mapping.dmp

Download
memory/824-44-0x0000000000000000-mapping.dmp

Download
memory/872-79-0x0000000000000000-mapping.dmp

Download
memory/904-104-0x0000000000000000-mapping.dmp

Download
memory/944-80-0x0000000000000000-mapping.dmp

Download
memory/944-45-0x0000000000000000-mapping.dmp

Download
memory/956-28-0x0000000000000000-mapping.dmp

Download
memory/964-63-0x0000000000000000-mapping.dmp

Download
memory/964-51-0x0000000000000000-mapping.dmp

Download
memory/1084-86-0x0000000000000000-mapping.dmp

Download
memory/1088-22-0x0000000000000000-mapping.dmp

Download
memory/1088-85-0x0000000000000000-mapping.dmp

Download
memory/1092-55-0x0000000000000000-mapping.dmp

Download
memory/1092-92-0x0000000000000000-mapping.dmp

Download
memory/1112-98-0x0000000000000000-mapping.dmp

Download
memory/1116-116-0x0000000000000000-mapping.dmp

Download
memory/1116-77-0x0000000000000000-mapping.dmp

Download
memory/1116-101-0x0000000000000000-mapping.dmp

Download
memory/1120-24-0x0000000000000000-mapping.dmp

Download
memory/1120-68-0x0000000000000000-mapping.dmp

Download
memory/1128-91-0x0000000000000000-mapping.dmp

Download
memory/1128-108-0x0000000000000000-mapping.dmp

Download
memory/1164-82-0x0000000000000000-mapping.dmp

Download
memory/1172-56-0x0000000000000000-mapping.dmp

Download
memory/1176-18-0x0000000000000000-mapping.dmp

Download
memory/1180-48-0x0000000000000000-mapping.dmp

Download
memory/1240-102-0x0000000000000000-mapping.dmp

Download
memory/1240-75-0x0000000000000000-mapping.dmp

Download
memory/1240-83-0x0000000000000000-mapping.dmp

Download
memory/1288-46-0x0000000000000000-mapping.dmp

Download
memory/1320-96-0x0000000000000000-mapping.dmp

Download
memory/1328-81-0x0000000000000000-mapping.dmp

Download
memory/1328-99-0x0000000000000000-mapping.dmp

Download
memory/1328-103-0x0000000000000000-mapping.dmp

Download
memory/1348-66-0x0000000000000000-mapping.dmp

Download
memory/1364-109-0x0000000000000000-mapping.dmp

Download
memory/1364-117-0x0000000000000000-mapping.dmp

Download
memory/1364-115-0x0000000000000000-mapping.dmp

Download
memory/1368-25-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1368-26-0x000000000044C7BE-mapping.dmp

Download
memory/1368-27-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1368-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1368-30-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/1376-6-0x0000000000000000-mapping.dmp

Download
memory/1380-37-0x0000000000000000-mapping.dmp

Download
memory/1452-65-0x0000000000000000-mapping.dmp

Download
memory/1452-114-0x0000000000000000-mapping.dmp

Download
memory/1480-23-0x0000000000000000-mapping.dmp

Download
memory/1532-89-0x0000000000000000-mapping.dmp

Download
memory/1532-105-0x0000000000000000-mapping.dmp

Download
memory/1532-164-0x0000000000000000-mapping.dmp

Download
memory/1544-78-0x0000000000000000-mapping.dmp

Download
memory/1544-69-0x0000000000000000-mapping.dmp

Download
memory/1588-87-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x0000000000000000-mapping.dmp

Download
memory/1628-19-0x0000000000000000-mapping.dmp

Download
memory/1636-72-0x0000000000000000-mapping.dmp

Download
memory/1648-42-0x0000000000000000-mapping.dmp

Download
memory/1652-170-0x0000000000000000-mapping.dmp

Download
memory/1664-59-0x0000000000000000-mapping.dmp

Download
memory/1672-88-0x0000000000000000-mapping.dmp

Download
memory/1672-73-0x0000000000000000-mapping.dmp

Download
memory/1684-35-0x0000000000000000-mapping.dmp

Download
memory/1684-62-0x0000000000000000-mapping.dmp

Download
memory/1700-21-0x0000000000000000-mapping.dmp

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download
memory/1716-41-0x0000000000000000-mapping.dmp

Download
memory/1728-71-0x0000000000000000-mapping.dmp

Download
memory/1728-49-0x0000000000000000-mapping.dmp

Download
memory/1780-36-0x0000000000000000-mapping.dmp

Download
memory/1844-74-0x0000000000000000-mapping.dmp

Download
memory/1852-39-0x0000000000000000-mapping.dmp

Download
memory/1852-90-0x0000000000000000-mapping.dmp

Download
memory/1856-67-0x0000000000000000-mapping.dmp

Download
memory/1856-106-0x0000000000000000-mapping.dmp

Download
memory/1920-70-0x0000000000000000-mapping.dmp

Download
memory/1940-112-0x0000000000000000-mapping.dmp

Download
memory/1940-97-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000000000-mapping.dmp

Download
memory/1960-0-0x0000000074200000-0x00000000748EE000-memory.dmp

Filesize
6.9MB

Download
memory/1960-3-0x0000000000560000-0x0000000000577000-memory.dmp

Filesize
92KB

Download
memory/1960-4-0x0000000000790000-0x00000000007AF000-memory.dmp

Filesize
124KB

Download
memory/1960-1-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1960-5-0x00000000005C0000-0x00000000005C6000-memory.dmp

Filesize
24KB

Download
memory/1964-94-0x0000000000000000-mapping.dmp

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/1972-111-0x0000000000000000-mapping.dmp

Download
memory/1988-84-0x0000000000000000-mapping.dmp

Download
memory/1996-38-0x0000000000000000-mapping.dmp

Download
memory/2000-52-0x0000000000000000-mapping.dmp

Download
memory/2004-110-0x0000000000000000-mapping.dmp

Download
memory/2020-113-0x0000000000000000-mapping.dmp

Download
memory/2028-107-0x0000000000000000-mapping.dmp

Download
memory/2028-93-0x0000000000000000-mapping.dmp

Download
memory/2036-43-0x0000000000000000-mapping.dmp

Download
memory/2040-100-0x0000000000000000-mapping.dmp

Download
memory/2040-95-0x0000000000000000-mapping.dmp

Download
memory/2060-118-0x0000000000000000-mapping.dmp

Download
memory/2076-165-0x0000000000000000-mapping.dmp

Download
memory/2084-166-0x0000000000000000-mapping.dmp

Download
memory/2088-119-0x0000000000000000-mapping.dmp

Download
memory/2108-120-0x0000000000000000-mapping.dmp

Download
memory/2128-168-0x0000000000000000-mapping.dmp

Download
memory/2136-121-0x0000000000000000-mapping.dmp

Download
memory/2140-167-0x0000000000000000-mapping.dmp

Download
memory/2152-122-0x0000000000000000-mapping.dmp

Download
memory/2176-169-0x0000000000000000-mapping.dmp

Download
memory/2180-123-0x0000000000000000-mapping.dmp

Download
memory/2196-124-0x0000000000000000-mapping.dmp

Download
memory/2208-172-0x0000000000000000-mapping.dmp

Download
memory/2224-125-0x0000000000000000-mapping.dmp

Download
memory/2224-171-0x0000000000000000-mapping.dmp

Download
memory/2240-126-0x0000000000000000-mapping.dmp

Download
memory/2264-173-0x0000000000000000-mapping.dmp

Download
memory/2268-127-0x0000000000000000-mapping.dmp

Download
memory/2284-128-0x0000000000000000-mapping.dmp

Download
memory/2296-175-0x0000000000000000-mapping.dmp

Download
memory/2300-174-0x0000000000000000-mapping.dmp

Download
memory/2312-129-0x0000000000000000-mapping.dmp

Download
memory/2328-130-0x0000000000000000-mapping.dmp

Download
memory/2356-131-0x0000000000000000-mapping.dmp

Download
memory/2360-176-0x0000000000000000-mapping.dmp

Download
memory/2372-132-0x0000000000000000-mapping.dmp

Download
memory/2376-178-0x0000000000000000-mapping.dmp

Download
memory/2388-177-0x0000000000000000-mapping.dmp

Download
memory/2400-133-0x0000000000000000-mapping.dmp

Download
memory/2416-134-0x0000000000000000-mapping.dmp

Download
memory/2444-135-0x0000000000000000-mapping.dmp

Download
memory/2452-179-0x0000000000000000-mapping.dmp

Download
memory/2460-136-0x0000000000000000-mapping.dmp

Download
memory/2488-137-0x0000000000000000-mapping.dmp

Download
memory/2504-138-0x0000000000000000-mapping.dmp

Download
memory/2532-139-0x0000000000000000-mapping.dmp

Download
memory/2548-140-0x0000000000000000-mapping.dmp

Download
memory/2576-141-0x0000000000000000-mapping.dmp

Download
memory/2592-142-0x0000000000000000-mapping.dmp

Download
memory/2620-143-0x0000000000000000-mapping.dmp

Download
memory/2636-144-0x0000000000000000-mapping.dmp

Download
memory/2664-145-0x0000000000000000-mapping.dmp

Download
memory/2680-146-0x0000000000000000-mapping.dmp

Download
memory/2708-147-0x0000000000000000-mapping.dmp

Download
memory/2724-148-0x0000000000000000-mapping.dmp

Download
memory/2752-149-0x0000000000000000-mapping.dmp

Download
memory/2768-150-0x0000000000000000-mapping.dmp

Download
memory/2796-151-0x0000000000000000-mapping.dmp

Download
memory/2812-152-0x0000000000000000-mapping.dmp

Download
memory/2840-153-0x0000000000000000-mapping.dmp

Download
memory/2856-154-0x0000000000000000-mapping.dmp

Download
memory/2884-155-0x0000000000000000-mapping.dmp

Download
memory/2900-156-0x0000000000000000-mapping.dmp

Download
memory/2928-157-0x0000000000000000-mapping.dmp

Download
memory/2944-158-0x0000000000000000-mapping.dmp

Download
memory/2972-159-0x0000000000000000-mapping.dmp

Download
memory/2988-160-0x0000000000000000-mapping.dmp

Download
memory/3016-161-0x0000000000000000-mapping.dmp

Download
memory/3032-162-0x0000000000000000-mapping.dmp

Download
memory/3060-163-0x0000000000000000-mapping.dmp

Download