General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

Nouveau.jar

Verdict
Malicious activity
Analysis date
2/11/2019, 09:10:52
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
dunihi
adwind
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

c23912eabb94bc8e237231012f4a5b80

SHA1

22c22f9b587c57387a5848f4bcd3f7f1a147142f

SHA256

94a65d3616639dc1b52fd7942276a475c45d6c280799b958497155a6b46aef8c

SSDEEP

12288:sR03cqHwusgi42wUaXqHRKC4Sr7uDGpY+Fqm/+DozJ9BcE/dfZkpgjCBF/PP5xgN:sOcGvd2w8MPS2iAm/+DozJHh/kpgjWpc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • java.exe (PID: 2712)
  • javaw.exe (PID: 3632)
  • svchost.exe (PID: 816)
  • javaw.exe (PID: 3708)
  • javaw.exe (PID: 2204)
  • cmd.exe (PID: 3528)
  • wscript.exe (PID: 3228)
  • explorer.exe (PID: 116)
  • java.exe (PID: 2768)
  • javaw.exe (PID: 2840)
Application was dropped or rewritten from another process
  • java.exe (PID: 2712)
  • javaw.exe (PID: 3708)
  • java.exe (PID: 2768)
  • javaw.exe (PID: 2204)
  • javaw.exe (PID: 3632)
  • javaw.exe (PID: 2840)
Changes the autorun value in the registry
  • reg.exe (PID: 2584)
  • wscript.exe (PID: 3228)
  • WScript.exe (PID: 2740)
AdWind was detected
  • java.exe (PID: 2768)
DUNIHI was detected
  • WScript.exe (PID: 2740)
Connects to CnC server
  • WScript.exe (PID: 2740)
Writes to a start menu file
  • WScript.exe (PID: 2740)
Starts itself from another location
  • javaw.exe (PID: 2840)
Uses ATTRIB.EXE to modify file attributes
  • javaw.exe (PID: 2840)
Uses REG.EXE to modify Windows registry
  • javaw.exe (PID: 2840)
Executes scripts
  • cmd.exe (PID: 3124)
  • cmd.exe (PID: 2892)
  • cmd.exe (PID: 3804)
  • cmd.exe (PID: 4064)
  • wscript.exe (PID: 3228)
  • javaw.exe (PID: 3708)
Starts CMD.EXE for commands execution
  • java.exe (PID: 2768)
  • javaw.exe (PID: 2840)
  • wscript.exe (PID: 3228)
Executes JAVA applets
  • javaw.exe (PID: 2840)
  • wscript.exe (PID: 3228)
  • cmd.exe (PID: 3528)
  • explorer.exe (PID: 116)
Connects to unusual port
  • WScript.exe (PID: 2740)
Executable content was dropped or overwritten
  • xcopy.exe (PID: 3300)
Creates files in the user directory
  • javaw.exe (PID: 2840)
  • WScript.exe (PID: 2740)
  • wscript.exe (PID: 3228)
  • xcopy.exe (PID: 3300)
Application launched itself
  • wscript.exe (PID: 3228)
  • WinRAR.exe (PID: 3468)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
65
Monitored processes
25
Malicious processes
8
Suspicious processes
2

Behavior graph

+
start winrar.exe no specs winrar.exe no specs javaw.exe no specs wscript.exe #DUNIHI wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs reg.exe attrib.exe no specs svchost.exe no specs explorer.exe no specs attrib.exe no specs javaw.exe no specs java.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
816
CMD
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Path
C:\Windows\System32\svchost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\audiosrv.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\avrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxsms.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\trkwks.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\portabledeviceconnectapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wdi.dll
c:\windows\system32\apphlpdm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wer.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netman.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasdlg.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\atl.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\pcasvc.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wevtapi.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
116
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\winrar\winrar.exe
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
3468
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
3352
CMD
"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe

PID
3708
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\jre-8u201-windows-x64.jar"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll

PID
3228
CMD
wscript C:\Users\admin\auqtoxxxcf.vbs
Path
C:\Windows\system32\wscript.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
2740
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll

PID
3528
CMD
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
2204
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll

PID
2840
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xcopy.exe
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\users\admin\appdata\roaming\oracle\bin\java.dll

PID
2768
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.5095062297411482163979030849212189.class
Path
C:\Program Files\Java\jre1.8.0_92\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\program files\java\jre1.8.0_92\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3804
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscript.exe

PID
2476
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
4064
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4055006280000470612.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2592
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4055006280000470612.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2892
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7988252353073535831.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3936
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7988252353073535831.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3300
CMD
xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e
Path
C:\Windows\system32\xcopy.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3124
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3932
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2584
CMD
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ZYhRQlVdovW /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK\"" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3404
CMD
attrib +h "C:\Users\admin\MnDUThwnuWt\*.*"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3496
CMD
attrib +h "C:\Users\admin\MnDUThwnuWt"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3632
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2712
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\admin\AppData\Local\Temp\_0.16026920281406227857135345292851464.class
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll

Registry activity

Total events
4139
Read events
4056
Write events
83
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000000000029280000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D00000023631500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000000000000934D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D0000008D881500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000001000000934D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003E0000008D881500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000001000000B1550000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003E000000AB901500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Wnin\wer1.8.0_92\ova\wninj.rkr
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFB038827FE1C1D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000AB901500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3468
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3352
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C8000000000000000000000000004A0102000000000039000000B40200000000000001000000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000004801020000000000160000002A0000000000000002000000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000005E0102000000000016000000640000000000000003000000
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ntfsmgr
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\nOEIXYweyr
false - 2/11/2019
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
nOEIXYweyr
wscript.exe //B "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nOEIXYweyr
wscript.exe //B "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2584
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ZYhRQlVdovW
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK"
<