hiverat | f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Booking Confirmation 110992024951 - copy - PDF.exe
Size

852KB
MD5

76365cf942438345266042ed4f88b48b
SHA1

5e83c5e24bb0a923a8988ca2ac39f2a1656d052d
SHA256

f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964
SHA512

76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2736-35-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/2736-36-0x000000000044C7BE-mapping.dmp	family_hiverat
behavioral2/memory/2736-37-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

Processes:

images.exe

pid process

3948 images.exe

pid	process
3948	images.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\iamges = "C:\\Users\\Admin\\AppData\\Roaming\\system\\images.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

images.exe

description pid process target process

PID 3948 set thread context of 2736 3948 images.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.exeimages.exeInstallUtil.exe

pid process

916 Booking Confirmation 110992024951 - copy - PDF.exe
3948 images.exe
2736 InstallUtil.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

images.exe

pid process

3948 images.exe

description	pid	process	target process
PID 3948 set thread context of 2736	3948	images.exe	InstallUtil.exe

pid	process
916	Booking Confirmation 110992024951 - copy - PDF.exe
3948	images.exe
2736	InstallUtil.exe

pid	process
3948	images.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.exeimages.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	916	Booking Confirmation 110992024951 - copy - PDF.exe
Token: SeDebugPrivilege	3948	images.exe
Token: SeDebugPrivilege	2736	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Booking Confirmation 110992024951 - copy - PDF.execmd.exeimages.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 916 wrote to memory of 1468	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 916 wrote to memory of 1468	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 916 wrote to memory of 1468	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 916 wrote to memory of 2132	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 916 wrote to memory of 2132	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 916 wrote to memory of 2132	916	Booking Confirmation 110992024951 - copy - PDF.exe	cmd.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	images.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	images.exe
PID 2132 wrote to memory of 3948	2132	cmd.exe	images.exe
PID 3948 wrote to memory of 312	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 312	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 312	3948	images.exe	cmd.exe
PID 312 wrote to memory of 796	312	cmd.exe	reg.exe
PID 312 wrote to memory of 796	312	cmd.exe	reg.exe
PID 312 wrote to memory of 796	312	cmd.exe	reg.exe
PID 3948 wrote to memory of 2540	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 2540	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 2540	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 2540 wrote to memory of 1420	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1420	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1420	2540	cmd.exe	reg.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 2736	3948	images.exe	InstallUtil.exe
PID 3948 wrote to memory of 1100	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 1100	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 1100	3948	images.exe	cmd.exe
PID 1100 wrote to memory of 2268	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 2268	1100	cmd.exe	reg.exe
PID 1100 wrote to memory of 2268	1100	cmd.exe	reg.exe
PID 3948 wrote to memory of 3952	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 3952	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 3952	3948	images.exe	cmd.exe
PID 3952 wrote to memory of 1440	3952	cmd.exe	reg.exe
PID 3952 wrote to memory of 1440	3952	cmd.exe	reg.exe
PID 3952 wrote to memory of 1440	3952	cmd.exe	reg.exe
PID 3948 wrote to memory of 392	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 392	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 392	3948	images.exe	cmd.exe
PID 392 wrote to memory of 736	392	cmd.exe	reg.exe
PID 392 wrote to memory of 736	392	cmd.exe	reg.exe
PID 392 wrote to memory of 736	392	cmd.exe	reg.exe
PID 3948 wrote to memory of 3628	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 3628	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 3628	3948	images.exe	cmd.exe
PID 3628 wrote to memory of 2652	3628	cmd.exe	reg.exe
PID 3628 wrote to memory of 2652	3628	cmd.exe	reg.exe
PID 3628 wrote to memory of 2652	3628	cmd.exe	reg.exe
PID 3948 wrote to memory of 816	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 816	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 816	3948	images.exe	cmd.exe
PID 816 wrote to memory of 2676	816	cmd.exe	reg.exe
PID 816 wrote to memory of 2676	816	cmd.exe	reg.exe
PID 816 wrote to memory of 2676	816	cmd.exe	reg.exe
PID 3948 wrote to memory of 2120	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 2120	3948	images.exe	cmd.exe
PID 3948 wrote to memory of 2120	3948	images.exe	cmd.exe
PID 2120 wrote to memory of 2408	2120	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110992024951 - copy - PDF.exe" "C:\Users\Admin\AppData\Roaming\system\images.exe"
2⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\system\images.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Roaming\system\images.exe
"C:\Users\Admin\AppData\Roaming\system\images.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:228

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3168

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:3824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1836

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4044

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2744

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2196

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3556

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:660

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1756

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:3156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1780

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3908

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:712

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3548

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:1816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3872

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:3864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2672

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:3284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1352

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4108

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4176

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4924

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4992

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:5036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:5060

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4396

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4504

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4804

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4912

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:5100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4204

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4248

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4904

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:5052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:5028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4156

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4364

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4440

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
4⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "iamges" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\system\images.exe"
5⤵
- Adds Run key to start application
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\system\images.exe
MD5
76365cf942438345266042ed4f88b48b

SHA1
5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256
f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512
76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Download Submit
C:\Users\Admin\AppData\Roaming\system\images.exe
MD5
76365cf942438345266042ed4f88b48b

SHA1
5e83c5e24bb0a923a8988ca2ac39f2a1656d052d

SHA256
f0331d96574776e1254747cac935785308803f1234cb833064f0aae4e9aa7964

SHA512
76f9b23b199dd248be5c7d7a32f36bb079f93b3d7664ea82c2db942876861eeb37cce5cd5a6d207f47fa19b1d4007c1ad9e862ea8917b74f591e312c5020127b

Download Submit
memory/208-66-0x0000000000000000-mapping.dmp

Download
memory/228-61-0x0000000000000000-mapping.dmp

Download
memory/312-27-0x0000000000000000-mapping.dmp

Download
memory/392-47-0x0000000000000000-mapping.dmp

Download
memory/432-84-0x0000000000000000-mapping.dmp

Download
memory/492-57-0x0000000000000000-mapping.dmp

Download
memory/524-106-0x0000000000000000-mapping.dmp

Download
memory/572-219-0x0000000000000000-mapping.dmp

Download
memory/660-77-0x0000000000000000-mapping.dmp

Download
memory/712-97-0x0000000000000000-mapping.dmp

Download
memory/736-48-0x0000000000000000-mapping.dmp

Download
memory/796-28-0x0000000000000000-mapping.dmp

Download
memory/816-51-0x0000000000000000-mapping.dmp

Download
memory/912-115-0x0000000000000000-mapping.dmp

Download
memory/916-8-0x0000000002C30000-0x0000000002C36000-memory.dmp

Filesize
24KB

Download
memory/916-5-0x0000000005320000-0x000000000533F000-memory.dmp

Filesize
124KB

Download
memory/916-9-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/916-1-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/916-0-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/916-3-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/916-4-0x0000000002D10000-0x0000000002D27000-memory.dmp

Filesize
92KB

Download
memory/916-10-0x0000000008EA0000-0x0000000008EA1000-memory.dmp

Filesize
4KB

Download
memory/916-7-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/916-6-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/984-93-0x0000000000000000-mapping.dmp

Download
memory/1060-74-0x0000000000000000-mapping.dmp

Download
memory/1100-33-0x0000000000000000-mapping.dmp

Download
memory/1112-100-0x0000000000000000-mapping.dmp

Download
memory/1176-98-0x0000000000000000-mapping.dmp

Download
memory/1236-163-0x0000000000000000-mapping.dmp

Download
memory/1352-119-0x0000000000000000-mapping.dmp

Download
memory/1356-113-0x0000000000000000-mapping.dmp

Download
memory/1420-32-0x0000000000000000-mapping.dmp

Download
memory/1440-44-0x0000000000000000-mapping.dmp

Download
memory/1452-80-0x0000000000000000-mapping.dmp

Download
memory/1468-11-0x0000000000000000-mapping.dmp

Download
memory/1596-114-0x0000000000000000-mapping.dmp

Download
memory/1756-83-0x0000000000000000-mapping.dmp

Download
memory/1780-91-0x0000000000000000-mapping.dmp

Download
memory/1788-58-0x0000000000000000-mapping.dmp

Download
memory/1816-102-0x0000000000000000-mapping.dmp

Download
memory/1836-65-0x0000000000000000-mapping.dmp

Download
memory/1848-184-0x0000000000000000-mapping.dmp

Download
memory/1992-101-0x0000000000000000-mapping.dmp

Download
memory/2052-62-0x0000000000000000-mapping.dmp

Download
memory/2120-53-0x0000000000000000-mapping.dmp

Download
memory/2132-12-0x0000000000000000-mapping.dmp

Download
memory/2164-92-0x0000000000000000-mapping.dmp

Download
memory/2172-89-0x0000000000000000-mapping.dmp

Download
memory/2176-85-0x0000000000000000-mapping.dmp

Download
memory/2180-122-0x0000000000000000-mapping.dmp

Download
memory/2196-73-0x0000000000000000-mapping.dmp

Download
memory/2204-72-0x0000000000000000-mapping.dmp

Download
memory/2236-126-0x0000000000000000-mapping.dmp

Download
memory/2244-70-0x0000000000000000-mapping.dmp

Download
memory/2256-103-0x0000000000000000-mapping.dmp

Download
memory/2264-59-0x0000000000000000-mapping.dmp

Download
memory/2268-34-0x0000000000000000-mapping.dmp

Download
memory/2272-68-0x0000000000000000-mapping.dmp

Download
memory/2288-81-0x0000000000000000-mapping.dmp

Download
memory/2388-79-0x0000000000000000-mapping.dmp

Download
memory/2408-54-0x0000000000000000-mapping.dmp

Download
memory/2536-78-0x0000000000000000-mapping.dmp

Download
memory/2540-30-0x0000000000000000-mapping.dmp

Download
memory/2612-120-0x0000000000000000-mapping.dmp

Download
memory/2616-96-0x0000000000000000-mapping.dmp

Download
memory/2628-94-0x0000000000000000-mapping.dmp

Download
memory/2652-50-0x0000000000000000-mapping.dmp

Download
memory/2660-124-0x0000000000000000-mapping.dmp

Download
memory/2672-117-0x0000000000000000-mapping.dmp

Download
memory/2676-52-0x0000000000000000-mapping.dmp

Download
memory/2696-112-0x0000000000000000-mapping.dmp

Download
memory/2712-108-0x0000000000000000-mapping.dmp

Download
memory/2716-82-0x0000000000000000-mapping.dmp

Download
memory/2736-35-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2736-38-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-55-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/2736-56-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/2736-37-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2736-36-0x000000000044C7BE-mapping.dmp

Download
memory/2744-71-0x0000000000000000-mapping.dmp

Download
memory/2776-104-0x0000000000000000-mapping.dmp

Download
memory/2780-198-0x0000000000000000-mapping.dmp

Download
memory/2844-86-0x0000000000000000-mapping.dmp

Download
memory/2864-111-0x0000000000000000-mapping.dmp

Download
memory/2980-107-0x0000000000000000-mapping.dmp

Download
memory/2988-123-0x0000000000000000-mapping.dmp

Download
memory/3156-90-0x0000000000000000-mapping.dmp

Download
memory/3168-63-0x0000000000000000-mapping.dmp

Download
memory/3176-121-0x0000000000000000-mapping.dmp

Download
memory/3284-118-0x0000000000000000-mapping.dmp

Download
memory/3444-109-0x0000000000000000-mapping.dmp

Download
memory/3548-99-0x0000000000000000-mapping.dmp

Download
memory/3556-75-0x0000000000000000-mapping.dmp

Download
memory/3612-60-0x0000000000000000-mapping.dmp

Download
memory/3628-49-0x0000000000000000-mapping.dmp

Download
memory/3644-157-0x0000000000000000-mapping.dmp

Download
memory/3748-67-0x0000000000000000-mapping.dmp

Download
memory/3824-64-0x0000000000000000-mapping.dmp

Download
memory/3864-116-0x0000000000000000-mapping.dmp

Download
memory/3872-105-0x0000000000000000-mapping.dmp

Download
memory/3876-110-0x0000000000000000-mapping.dmp

Download
memory/3908-95-0x0000000000000000-mapping.dmp

Download
memory/3920-87-0x0000000000000000-mapping.dmp

Download
memory/3948-31-0x0000000009070000-0x0000000009071000-memory.dmp

Filesize
4KB

Download
memory/3948-13-0x0000000000000000-mapping.dmp

Download
memory/3948-29-0x0000000009190000-0x000000000919A000-memory.dmp

Filesize
40KB

Download
memory/3948-16-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3952-39-0x0000000000000000-mapping.dmp

Download
memory/3964-199-0x0000000000000000-mapping.dmp

Download
memory/3972-125-0x0000000000000000-mapping.dmp

Download
memory/4000-221-0x0000000000000000-mapping.dmp

Download
memory/4008-88-0x0000000000000000-mapping.dmp

Download
memory/4040-76-0x0000000000000000-mapping.dmp

Download
memory/4044-69-0x0000000000000000-mapping.dmp

Download
memory/4108-127-0x0000000000000000-mapping.dmp

Download
memory/4136-208-0x0000000000000000-mapping.dmp

Download
memory/4140-159-0x0000000000000000-mapping.dmp

Download
memory/4144-186-0x0000000000000000-mapping.dmp

Download
memory/4152-128-0x0000000000000000-mapping.dmp

Download
memory/4156-207-0x0000000000000000-mapping.dmp

Download
memory/4160-158-0x0000000000000000-mapping.dmp

Download
memory/4176-129-0x0000000000000000-mapping.dmp

Download
memory/4196-210-0x0000000000000000-mapping.dmp

Download
memory/4204-185-0x0000000000000000-mapping.dmp

Download
memory/4212-161-0x0000000000000000-mapping.dmp

Download
memory/4220-130-0x0000000000000000-mapping.dmp

Download
memory/4224-160-0x0000000000000000-mapping.dmp

Download
memory/4244-131-0x0000000000000000-mapping.dmp

Download
memory/4248-187-0x0000000000000000-mapping.dmp

Download
memory/4264-209-0x0000000000000000-mapping.dmp

Download
memory/4276-162-0x0000000000000000-mapping.dmp

Download
memory/4288-132-0x0000000000000000-mapping.dmp

Download
memory/4312-133-0x0000000000000000-mapping.dmp

Download
memory/4316-164-0x0000000000000000-mapping.dmp

Download
memory/4340-189-0x0000000000000000-mapping.dmp

Download
memory/4348-188-0x0000000000000000-mapping.dmp

Download
memory/4356-134-0x0000000000000000-mapping.dmp

Download
memory/4364-211-0x0000000000000000-mapping.dmp

Download
memory/4380-135-0x0000000000000000-mapping.dmp

Download
memory/4392-190-0x0000000000000000-mapping.dmp

Download
memory/4396-165-0x0000000000000000-mapping.dmp

Download
memory/4400-166-0x0000000000000000-mapping.dmp

Download
memory/4404-191-0x0000000000000000-mapping.dmp

Download
memory/4424-136-0x0000000000000000-mapping.dmp

Download
memory/4432-212-0x0000000000000000-mapping.dmp

Download
memory/4440-213-0x0000000000000000-mapping.dmp

Download
memory/4448-137-0x0000000000000000-mapping.dmp

Download
memory/4476-215-0x0000000000000000-mapping.dmp

Download
memory/4492-138-0x0000000000000000-mapping.dmp

Download
memory/4496-192-0x0000000000000000-mapping.dmp

Download
memory/4504-167-0x0000000000000000-mapping.dmp

Download
memory/4516-139-0x0000000000000000-mapping.dmp

Download
memory/4524-214-0x0000000000000000-mapping.dmp

Download
memory/4528-216-0x0000000000000000-mapping.dmp

Download
memory/4532-168-0x0000000000000000-mapping.dmp

Download
memory/4544-169-0x0000000000000000-mapping.dmp

Download
memory/4548-193-0x0000000000000000-mapping.dmp

Download
memory/4560-140-0x0000000000000000-mapping.dmp

Download
memory/4584-141-0x0000000000000000-mapping.dmp

Download
memory/4588-171-0x0000000000000000-mapping.dmp

Download
memory/4600-194-0x0000000000000000-mapping.dmp

Download
memory/4628-142-0x0000000000000000-mapping.dmp

Download
memory/4644-170-0x0000000000000000-mapping.dmp

Download
memory/4652-143-0x0000000000000000-mapping.dmp

Download
memory/4656-195-0x0000000000000000-mapping.dmp

Download
memory/4664-196-0x0000000000000000-mapping.dmp

Download
memory/4668-218-0x0000000000000000-mapping.dmp

Download
memory/4688-173-0x0000000000000000-mapping.dmp

Download
memory/4696-144-0x0000000000000000-mapping.dmp

Download
memory/4708-172-0x0000000000000000-mapping.dmp

Download
memory/4720-145-0x0000000000000000-mapping.dmp

Download
memory/4740-217-0x0000000000000000-mapping.dmp

Download
memory/4752-174-0x0000000000000000-mapping.dmp

Download
memory/4764-146-0x0000000000000000-mapping.dmp

Download
memory/4780-197-0x0000000000000000-mapping.dmp

Download
memory/4788-147-0x0000000000000000-mapping.dmp

Download
memory/4804-175-0x0000000000000000-mapping.dmp

Download
memory/4808-176-0x0000000000000000-mapping.dmp

Download
memory/4820-201-0x0000000000000000-mapping.dmp

Download
memory/4832-148-0x0000000000000000-mapping.dmp

Download
memory/4836-200-0x0000000000000000-mapping.dmp

Download
memory/4856-149-0x0000000000000000-mapping.dmp

Download
memory/4864-220-0x0000000000000000-mapping.dmp

Download
memory/4900-150-0x0000000000000000-mapping.dmp

Download
memory/4904-203-0x0000000000000000-mapping.dmp

Download
memory/4912-177-0x0000000000000000-mapping.dmp

Download
memory/4924-151-0x0000000000000000-mapping.dmp

Download
memory/4940-178-0x0000000000000000-mapping.dmp

Download
memory/4944-205-0x0000000000000000-mapping.dmp

Download
memory/4964-179-0x0000000000000000-mapping.dmp

Download
memory/4968-152-0x0000000000000000-mapping.dmp

Download
memory/4980-202-0x0000000000000000-mapping.dmp

Download
memory/4984-222-0x0000000000000000-mapping.dmp

Download
memory/4992-153-0x0000000000000000-mapping.dmp

Download
memory/5012-181-0x0000000000000000-mapping.dmp

Download
memory/5028-206-0x0000000000000000-mapping.dmp

Download
memory/5036-154-0x0000000000000000-mapping.dmp

Download
memory/5048-180-0x0000000000000000-mapping.dmp

Download
memory/5052-204-0x0000000000000000-mapping.dmp

Download
memory/5060-155-0x0000000000000000-mapping.dmp

Download
memory/5072-183-0x0000000000000000-mapping.dmp

Download
memory/5100-182-0x0000000000000000-mapping.dmp

Download
memory/5104-156-0x0000000000000000-mapping.dmp

Download