Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2311
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
- * File Size: 435200
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
- * MD5: "636d3c669e36510bf337fd2f1ea64732"
- * SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
- * SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
- * CRC32: "D4F2AC3B"
- * SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
- * Process Execution:
- "OQyoOv9HxQ.exe",
- "cmd.exe",
- "reg.exe",
- "lsass.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "cmd.exe",
- "WMIC.exe",
- "cmd.exe",
- "vssadmin.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "reg.exe",
- "cmd.exe",
- "attrib.exe",
- "cmd.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "wevtutil.exe",
- "cmd.exe",
- "sc.exe",
- "lsass.exe",
- "lsass.exe",
- "cmd.exe",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "PING.EXE",
- "services.exe",
- "svchost.exe",
- "WmiPrvSE.exe",
- "svchost.exe",
- "taskeng.exe",
- "taskeng.exe",
- "msoia.exe",
- "msoia.exe",
- "taskeng.exe",
- "WMIADAP.exe",
- "taskeng.exe",
- "VSSVC.exe"
- * Executed Commands:
- "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
- "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
- "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
- "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
- "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
- "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
- "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
- "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
- "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
- "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
- "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
- "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
- "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
- "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
- "taskeng.exe DA0ED248-9EDB-4144-B9E7-AFC1D00A662A S-1-5-18:NT AUTHORITY\\System:Service:",
- "taskeng.exe A14B62F8-6D27-44D8-BFCB-66F44117F2A4 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
- "taskeng.exe 4C64B42C-C15C-4AFB-9A31-7317BC95FE05 S-1-5-18:NT AUTHORITY\\System:Service:",
- "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
- "taskeng.exe F7093373-6201-40B8-8D09-6E7E59E028EB S-1-5-18:NT AUTHORITY\\System:Service:",
- "C:\\Windows\\system32\\vssvc.exe",
- "vssadmin delete shadows /all /quiet",
- "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
- "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
- "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
- "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
- "wevtutil.exe clear-log Application",
- "wevtutil.exe clear-log Security",
- "wevtutil.exe clear-log System",
- "sc config eventlog start=disabled",
- "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
- "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "lsass.exe, PID 2296"
- "Description": "Anomalous file deletion behavior detected (10+)",
- "Details":
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
- "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
- "Process": "PING.EXE tried to sleep 345 seconds, actually delayed analysis time by 0 seconds"
- "Process": "svchost.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
- "Process": "taskeng.exe tried to sleep 488 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "OQyoOv9HxQ.exe -> C:\\Windows\\System32\\cmd.exe"
- "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
- "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "A ping command was executed with the -n argument possibly to delay analysis",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
- "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
- "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
- "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
- "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
- "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
- "command": "sc config eventlog start=disabled"
- "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
- "Description": "Attempts to delete volume shadow copies",
- "Details":
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Modifies boot configuration settings",
- "Details":
- "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
- "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
- "Description": "A system process is generating network traffic likely as a result of process injection",
- "Details":
- "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
- "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
- "Description": "Exhibits possible ransomware file modification behavior",
- "Details":
- "file_modifications": "Performs 146 file moves indicative of a potential file encryption process"
- "drops_unknown_mimetypes": "Drops 159 unknown file mime types which may be indicative of encrypted files being written back to disk"
- "Description": "Writes a potential ransom message to disk",
- "Details":
- "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "taskeng.exe:2584"
- "process": "taskeng.exe:1604"
- "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
- "Details":
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_100% (D)"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Endgame": "malicious (high confidence)"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
- "FireEye": "Generic.mg.636d3c669e36510b"
- "SentinelOne": "DFI - Malicious PE"
- "Microsoft": "Trojan:Win32/Suloc.A"
- "Acronis": "suspicious"
- "VBA32": "Malware-Cryptor.General.3"
- "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
- "Cybereason": "malicious.5d1a74"
- "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
- "Description": "Detects VirtualBox through the presence of a file",
- "Details":
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
- "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
- "Description": "Clears Windows events or logs",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "wevtutil.exe clear-log Application"
- "command": "wevtutil.exe clear-log Security"
- "command": "wevtutil.exe clear-log System"
- "Description": "Appears to use character obfuscation in a command line",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Found duplicated section names"
- "Description": "Uses suspicious command line tools or Windows utilities",
- "Details":
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
- "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
- "command": "vssadmin delete shadows /all /quiet"
- "command": "wevtutil.exe clear-log Application"
- "command": "wevtutil.exe clear-log Security"
- "command": "wevtutil.exe clear-log System"
- * Started Service:
- * Mutexes:
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
- "\\??\\PIPE\\wkssvc",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\PIPE\\DAV RPC SERVICE",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\samr",
- "C:\\.doc",
- "C:\\.doc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\.htm",
- "C:\\.htm.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.jpeg",
- "C:\\.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.jpg",
- "C:\\.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.pptx",
- "C:\\.pptx.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.txt",
- "C:\\.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.xls",
- "C:\\.xls.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\.zip",
- "C:\\Host.bmp",
- "C:\\Host.bmp.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Host.docx",
- "C:\\Host.docx.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Host.html",
- "C:\\Host.html.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Host.jpeg",
- "C:\\Host.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Host.jpg",
- "C:\\Host.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Host.pdf",
- "C:\\Host.pdf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
- "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\release",
- "C:\\Program Files\\Java\\jre1.8.0_201\\release.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
- "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\trusted.libraries",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
- "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
- "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Notepad++\\contextMenu.xml",
- "C:\\Program Files\\Notepad++\\contextMenu.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Notepad++\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
- "C:\\Program Files\\Notepad++\\functionList.xml",
- "C:\\Program Files\\Notepad++\\functionList.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Notepad++\\langs.model.xml",
- "C:\\Program Files\\Notepad++\\langs.model.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
- "C:\\Program Files\\Notepad++\\LICENSE",
- "C:\\Program Files\\Notepad++\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
- "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
- "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\.doc",
- "C:\\.htm",
- "C:\\.jpeg",
- "C:\\.jpg",
- "C:\\.pptx",
- "C:\\.txt",
- "C:\\.xls",
- "C:\\Host.bmp",
- "C:\\Host.docx",
- "C:\\Host.html",
- "C:\\Host.jpeg",
- "C:\\Host.jpg",
- "C:\\Host.pdf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
- "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
- "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
- "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\release",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
- "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
- "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
- "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
- "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
- "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
- "C:\\Program Files\\Notepad++\\contextMenu.xml",
- "C:\\Program Files\\Notepad++\\functionList.xml",
- "C:\\Program Files\\Notepad++\\langs.model.xml",
- "C:\\Program Files\\Notepad++\\LICENSE"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
- "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
- "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05\\data",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB\\data"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "geoiptool.com",
- "answers":
- "type": "A",
- "request": "iplogger.ru",
- "answers":
- * Domains:
- "ip": "158.69.67.193",
- "domain": "geoiptool.com"
- "ip": "88.99.66.31",
- "domain": "iplogger.ru"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement