hiverat | c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d

Analysis

max time kernel
171s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
26-03-2022 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe
Size

811KB
MD5

8f4ace45db5383c411aaa2773cd11bb4
SHA1

f1fbdba7c16488d14cba546568e61d0a46390dfc
SHA256

c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d
SHA512

134d39f9b4dd215028444b7aff0c2299a5b424cbbdd915a5fcf393d154e349e17c8e7ba38fa6380de698f241b982aa2140ee07bea167a66d31416f6964a9f76e

Score

10^/10

hiverat persistence rat stealer

Malware Config

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

HiveRAT Payload 10 IoCs

resource	yara_rule
behavioral2/memory/3748-151-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-153-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-155-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-157-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-156-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-158-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-162-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-166-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-168-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/3748-167-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Executes dropped EXE 1 IoCs

pid	Process
1804	images.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	images.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\images = "C:\\Users\\Admin\\AppData\\Roaming\\systems\\images.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1804 set thread context of 3748	1804	images.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4128	3748	WerFault.exe	102

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe
1804	images.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1804	images.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe
Token: SeDebugPrivilege	1804	images.exe
Token: SeDebugPrivilege	3748	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 4460	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	90
PID 3600 wrote to memory of 4460	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	90
PID 3600 wrote to memory of 4460	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	90
PID 3600 wrote to memory of 692	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	92
PID 3600 wrote to memory of 692	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	92
PID 3600 wrote to memory of 692	3600	c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe	92
PID 692 wrote to memory of 1804	692	cmd.exe	94
PID 692 wrote to memory of 1804	692	cmd.exe	94
PID 692 wrote to memory of 1804	692	cmd.exe	94
PID 1804 wrote to memory of 1200	1804	images.exe	98
PID 1804 wrote to memory of 1200	1804	images.exe	98
PID 1804 wrote to memory of 1200	1804	images.exe	98
PID 1200 wrote to memory of 3068	1200	cmd.exe	100
PID 1200 wrote to memory of 3068	1200	cmd.exe	100
PID 1200 wrote to memory of 3068	1200	cmd.exe	100
PID 1804 wrote to memory of 824	1804	images.exe	101
PID 1804 wrote to memory of 824	1804	images.exe	101
PID 1804 wrote to memory of 824	1804	images.exe	101
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 1804 wrote to memory of 3748	1804	images.exe	102
PID 824 wrote to memory of 2352	824	cmd.exe	104
PID 824 wrote to memory of 2352	824	cmd.exe	104
PID 824 wrote to memory of 2352	824	cmd.exe	104
PID 1804 wrote to memory of 4452	1804	images.exe	105
PID 1804 wrote to memory of 4452	1804	images.exe	105
PID 1804 wrote to memory of 4452	1804	images.exe	105
PID 4452 wrote to memory of 2320	4452	cmd.exe	107
PID 4452 wrote to memory of 2320	4452	cmd.exe	107
PID 4452 wrote to memory of 2320	4452	cmd.exe	107
PID 1804 wrote to memory of 2168	1804	images.exe	108
PID 1804 wrote to memory of 2168	1804	images.exe	108
PID 1804 wrote to memory of 2168	1804	images.exe	108
PID 2168 wrote to memory of 2980	2168	cmd.exe	110
PID 2168 wrote to memory of 2980	2168	cmd.exe	110
PID 2168 wrote to memory of 2980	2168	cmd.exe	110
PID 1804 wrote to memory of 2488	1804	images.exe	114
PID 1804 wrote to memory of 2488	1804	images.exe	114
PID 1804 wrote to memory of 2488	1804	images.exe	114
PID 2488 wrote to memory of 3668	2488	cmd.exe	116
PID 2488 wrote to memory of 3668	2488	cmd.exe	116
PID 2488 wrote to memory of 3668	2488	cmd.exe	116
PID 1804 wrote to memory of 60	1804	images.exe	117
PID 1804 wrote to memory of 60	1804	images.exe	117
PID 1804 wrote to memory of 60	1804	images.exe	117
PID 60 wrote to memory of 4356	60	cmd.exe	119
PID 60 wrote to memory of 4356	60	cmd.exe	119
PID 60 wrote to memory of 4356	60	cmd.exe	119
PID 1804 wrote to memory of 2804	1804	images.exe	120
PID 1804 wrote to memory of 2804	1804	images.exe	120
PID 1804 wrote to memory of 2804	1804	images.exe	120
PID 2804 wrote to memory of 4604	2804	cmd.exe	122
PID 2804 wrote to memory of 4604	2804	cmd.exe	122
PID 2804 wrote to memory of 4604	2804	cmd.exe	122
PID 1804 wrote to memory of 1428	1804	images.exe	123
PID 1804 wrote to memory of 1428	1804	images.exe	123
PID 1804 wrote to memory of 1428	1804	images.exe	123
PID 1428 wrote to memory of 1356	1428	cmd.exe	125

C:\Users\Admin\AppData\Local\Temp\c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe
"C:\Users\Admin\AppData\Local\Temp\c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d.exe" "C:\Users\Admin\AppData\Roaming\systems\images.exe"
  2⤵
  PID:4460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\systems\images.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Roaming\systems\images.exe
    "C:\Users\Admin\AppData\Roaming\systems\images.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1200
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 768
        5⤵
        Program crash
        
        PID:4128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:1356
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:1536
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3480
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4588
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:3660
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3824
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2380
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3772
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1116
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1012
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1868
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4336
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2352
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:3636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4468
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:4312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4088
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3176
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4356
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:544
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1316
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4888
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4872
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4540
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:624
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4740
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:672
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3808
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1664
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2392
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3132
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:3848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3252
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1900
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2032
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1700
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2760
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1320
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:932
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2448
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4180
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4740
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3596
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3304
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4948
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3908
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4228
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1460
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:1512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        
        PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:1176
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
        5⤵
        Adds Run key to start application
        
        PID:4208
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "images" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\systems\images.exe"
      4⤵
      PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3748 -ip 3748
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\systems\images.exe

Filesize
811KB

MD5
8f4ace45db5383c411aaa2773cd11bb4

SHA1
f1fbdba7c16488d14cba546568e61d0a46390dfc

SHA256
c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d

SHA512
134d39f9b4dd215028444b7aff0c2299a5b424cbbdd915a5fcf393d154e349e17c8e7ba38fa6380de698f241b982aa2140ee07bea167a66d31416f6964a9f76e

Download Submit
C:\Users\Admin\AppData\Roaming\systems\images.exe

Filesize
811KB

MD5
8f4ace45db5383c411aaa2773cd11bb4

SHA1
f1fbdba7c16488d14cba546568e61d0a46390dfc

SHA256
c3e3246dd521e246f96bef26ce813fce5f566140e45fc049c0467c2a8382719d

SHA512
134d39f9b4dd215028444b7aff0c2299a5b424cbbdd915a5fcf393d154e349e17c8e7ba38fa6380de698f241b982aa2140ee07bea167a66d31416f6964a9f76e

Download Submit
memory/1804-146-0x000000000A600000-0x000000000A622000-memory.dmp

Filesize
136KB

Download
memory/3600-133-0x00000000074C0000-0x0000000007552000-memory.dmp

Filesize
584KB

Download
memory/3600-132-0x0000000007990000-0x0000000007F34000-memory.dmp

Filesize
5.6MB

Download
memory/3600-130-0x0000000000160000-0x0000000000230000-memory.dmp

Filesize
832KB

Download
memory/3600-134-0x0000000007660000-0x00000000076C6000-memory.dmp

Filesize
408KB

Download
memory/3600-135-0x0000000008AD0000-0x0000000008C92000-memory.dmp

Filesize
1.8MB

Download
memory/3600-136-0x00000000091D0000-0x00000000096FC000-memory.dmp

Filesize
5.2MB

Download
memory/3600-137-0x0000000008A40000-0x0000000008A62000-memory.dmp

Filesize
136KB

Download
memory/3600-131-0x0000000004C50000-0x0000000004CEC000-memory.dmp

Filesize
624KB

Download
memory/3748-167-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-151-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-168-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-156-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-157-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-153-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-158-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-162-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3748-166-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download