General Info

File name

Nouveau.jar

Full analysis
https://app.any.run/tasks/fb08a685-8243-4ce1-a823-469ea2f514a2
Verdict
Malicious activity
Analysis date
2/11/2019, 09:10:52
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

trojan

dunihi

adwind

Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

c23912eabb94bc8e237231012f4a5b80

SHA1

22c22f9b587c57387a5848f4bcd3f7f1a147142f

SHA256

94a65d3616639dc1b52fd7942276a475c45d6c280799b958497155a6b46aef8c

SSDEEP

12288:sR03cqHwusgi42wUaXqHRKC4Sr7uDGpY+Fqm/+DozJ9BcE/dfZkpgjCBF/PP5xgN:sOcGvd2w8MPS2iAm/+DozJHh/kpgjWpc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • javaw.exe (PID: 3632)
  • java.exe (PID: 2712)
  • javaw.exe (PID: 2840)
  • javaw.exe (PID: 3708)
  • javaw.exe (PID: 2204)
  • java.exe (PID: 2768)
Loads dropped or rewritten executable
  • javaw.exe (PID: 3632)
  • java.exe (PID: 2712)
  • wscript.exe (PID: 3228)
  • cmd.exe (PID: 3528)
  • explorer.exe (PID: 116)
  • svchost.exe (PID: 816)
  • javaw.exe (PID: 2204)
  • java.exe (PID: 2768)
  • javaw.exe (PID: 3708)
  • javaw.exe (PID: 2840)
Changes the autorun value in the registry
  • reg.exe (PID: 2584)
  • wscript.exe (PID: 3228)
  • WScript.exe (PID: 2740)
AdWind was detected
  • java.exe (PID: 2768)
DUNIHI was detected
  • WScript.exe (PID: 2740)
Connects to CnC server
  • WScript.exe (PID: 2740)
Writes to a start menu file
  • WScript.exe (PID: 2740)
Creates files in the user directory
  • wscript.exe (PID: 3228)
  • javaw.exe (PID: 2840)
  • WScript.exe (PID: 2740)
  • xcopy.exe (PID: 3300)
Starts itself from another location
  • javaw.exe (PID: 2840)
Uses REG.EXE to modify Windows registry
  • javaw.exe (PID: 2840)
Uses ATTRIB.EXE to modify file attributes
  • javaw.exe (PID: 2840)
Executes scripts
  • cmd.exe (PID: 3124)
  • cmd.exe (PID: 2892)
  • cmd.exe (PID: 3804)
  • cmd.exe (PID: 4064)
  • wscript.exe (PID: 3228)
  • javaw.exe (PID: 3708)
Starts CMD.EXE for commands execution
  • javaw.exe (PID: 2840)
  • java.exe (PID: 2768)
  • wscript.exe (PID: 3228)
Executes JAVA applets
  • javaw.exe (PID: 2840)
  • wscript.exe (PID: 3228)
  • cmd.exe (PID: 3528)
  • explorer.exe (PID: 116)
Connects to unusual port
  • WScript.exe (PID: 2740)
Executable content was dropped or overwritten
  • xcopy.exe (PID: 3300)
Application launched itself
  • wscript.exe (PID: 3228)
  • WinRAR.exe (PID: 3468)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
65
Monitored processes
25
Malicious processes
8
Suspicious processes
2

Behavior graph

+
start winrar.exe no specs winrar.exe no specs javaw.exe no specs wscript.exe #DUNIHI wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs reg.exe attrib.exe no specs svchost.exe no specs explorer.exe no specs attrib.exe no specs javaw.exe no specs java.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
816
CMD
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Path
C:\Windows\System32\svchost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Host Process for Windows Services
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\audiosrv.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\avrt.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxsms.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\trkwks.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\portabledeviceconnectapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wdi.dll
c:\windows\system32\apphlpdm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\wer.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netman.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasdlg.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\atl.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\onex.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\pcasvc.dll
c:\windows\system32\aepic.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\version.dll
c:\windows\system32\wevtapi.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
116
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\winrar\winrar.exe
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
3468
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

PID
3352
CMD
"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe

PID
3708
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\jre-8u201-windows-x64.jar"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\wscript.exe
c:\windows\system32\apphelp.dll

PID
3228
CMD
wscript C:\Users\admin\auqtoxxxcf.vbs
Path
C:\Windows\system32\wscript.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
2740
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll

PID
3528
CMD
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
2204
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll

PID
2840
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xcopy.exe
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\users\admin\appdata\roaming\oracle\bin\java.dll

PID
2768
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.5095062297411482163979030849212189.class
Path
C:\Program Files\Java\jre1.8.0_92\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\program files\java\jre1.8.0_92\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3804
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscript.exe

PID
2476
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
4064
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4055006280000470612.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2592
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4055006280000470612.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2892
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7988252353073535831.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3936
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7988252353073535831.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3300
CMD
xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e
Path
C:\Windows\system32\xcopy.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3124
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3932
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2584
CMD
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ZYhRQlVdovW /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK\"" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3404
CMD
attrib +h "C:\Users\admin\MnDUThwnuWt\*.*"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3496
CMD
attrib +h "C:\Users\admin\MnDUThwnuWt"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3632
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2712
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\admin\AppData\Local\Temp\_0.16026920281406227857135345292851464.class
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll

Registry activity

Total events
4139
Read events
4056
Write events
83
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
00000000000000000000000029280000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D00000023631500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\OpenWithList
a
WinRAR.exe
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000000000000934D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D0000008D881500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000001000000934D0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003E0000008D881500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\JvaENE\JvaENE.rkr
000000000000000001000000B1550000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003E000000AB901500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Wnin\wer1.8.0_92\ova\wninj.rkr
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFB038827FE1C1D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000AB901500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3468
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3468
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3352
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
1
C:\Users\admin\AppData\Local\Temp\Nouveau.jar.rar
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C8000000000000000000000000004A0102000000000039000000B40200000000000001000000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000004801020000000000160000002A0000000000000002000000
3352
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C8000000000000000000000000005E0102000000000016000000640000000000000003000000
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3228
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ntfsmgr
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\nOEIXYweyr
false - 2/11/2019
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
nOEIXYweyr
wscript.exe //B "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nOEIXYweyr
wscript.exe //B "C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs"
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
2740
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2740
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2584
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ZYhRQlVdovW
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK"

Files activity

Executable files
87
Suspicious files
2
Text files
30
Unknown types
1

Dropped files

PID
Process
Filename
Type
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll
executable
MD5: 6d8d8a26450ee4ba0be405629ea0a511
SHA256: 7945365a3cd40d043dae47849e6645675166920958300e64dea76a865bc479af
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
executable
MD5: deee2457bde2311f3c24d1b2257364f0
SHA256: ed68df1e549a092674259b1f806a31839ca426572020a7dbe0c46e492b272ec9
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\policytool.exe
executable
MD5: 35f95392b3283b90d1f581d4766ed48f
SHA256: d81308da68136fd421eb56fa2b586ec6801ccf0827d85f495227e6d6c40fc69e
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.cpl
executable
MD5: cd05e44e94beac05b27a6aa25e51a4c6
SHA256: e3259bb7ef907c0bb74e192e40e57fdf96c903bbc580975348dfef42839669ff
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_common.dll
executable
MD5: 1651ec53b5204c983348de8cacc4e1f9
SHA256: 5264316be4820cbc940e0c277698e6f95ec99a52023e5ef85c3fbe624b45cdaf
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.dll
executable
MD5: 0649a7b16b9f472bb9db8a6d2041cf6c
SHA256: 30a048a35865ca5bcea35ebecf7f01f08e8d20b0c4a3e9e0132540815eda1d89
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_sw.dll
executable
MD5: b257ff6fb051a023a1482049c7cfe242
SHA256: 3f976b7efc9fe59abfe0bcde0d3b5af1cf133c64ad1508cb4a00cf2c104f5e81
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jabswitch.exe
executable
MD5: 117b4d5106cc919c29404a5904ab941b
SHA256: a764db727ed6ec056ffe163dbb83db0ad0bd15b83181288c3afcd17a35e7d587
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_d3d.dll
executable
MD5: fb3c4f45e3f7d365c282062ddda1614d
SHA256: f9108ac2555dbc5a6b43cc9504394089be60eae4127397dc651e06b3e7585b00
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java-rmi.exe
executable
MD5: 556ad8153ad374007ec9d3f489b66e88
SHA256: 2ba8cd9a3757ecf0b8b7de612d7f827de73f7e9da114b1979fe9d429a46f8109
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
executable
MD5: 04205791371060574d5c345f0bb57917
SHA256: df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\resource.dll
executable
MD5: 2999d73f5764b3ac8c43e756391b09ea
SHA256: 15b4fdfe5ddb1820ddc468ac5d0e65045ca6aaea21d3a5a66ecaa8fc1ce48835
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\orbd.exe
executable
MD5: 9d1e898f5892eb35346e1c38c38395e5
SHA256: 0f8cae56647464d75d2530cc9f7205c69911fced55e43a39d86ff4d435a018ed
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pcsc.dll
executable
MD5: 54ede8c09212070f6a6ac4a99c91d9a9
SHA256: 7a9f32ecba3dcaeb653293780812969e2534da7b8e652a24e56271cd088c7a36
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.exe
executable
MD5: be337576c806c65d53cb6a7673cde00b
SHA256: e7521e54f241e99bb5f7f2de1cd2fc49f3980dc43eb6c5b8fa251178f03616ef
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmid.exe
executable
MD5: 4cf042cf43f9a5c0be43a263d987c0f3
SHA256: 6513c40184d496e86e34e327c960b06d20900c3092084a708d890f5376c43cf5
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\net.dll
executable
MD5: a91c9d88f705eac6934ce89e6c4ff63d
SHA256: 6d9bd64084180b7f1b7aa4902372879dc0400905856ac0c229ad33218f3257f1
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jaas_nt.dll
executable
MD5: cb36d7042e9135bb5721484f7d6a5340
SHA256: e700d076614943e138b69f4a1f177914225ca35b93fed8b43bc4a86cfd87c59c
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font.dll
executable
MD5: a65e9dbf93159c723f22cbd85f544269
SHA256: eada27806ccbf4d015f35f369b6880ef3dcc2eaa3b1ca89546fbdba8b05d9b5c
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\servertool.exe
executable
MD5: 7ec73dab19a45049c9d003383086b631
SHA256: bbe145615886dbb3f4ada7617d1a15fe2aee6cea5dbe34e9c216d1bde1121891
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\nio.dll
executable
MD5: ea6a4745bb7c9085f069fd7b52696972
SHA256: fb537564d240ac9b730941b5c0966209a5857e4d3ec0582ba0443fe391c74294
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pkcs11.dll
executable
MD5: bfbf13215d29658ff8c8122efa95e16d
SHA256: 91b6e445f5b4510c9d66641b1eed925f54dc2e84f3ddb0ff16ed5b0ac4bdc977
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
executable
MD5: 8cc8fe84f3d67f805d7e4f05ccff8ee8
SHA256: 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\splashscreen.dll
executable
MD5: 20e2531c9f14c7c5846191e131645cfc
SHA256: a6ea1b705acdda1bb3cd1c3cdcbfe7c86c81654537db8b48f65a781578ffbd77
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\npt.dll
executable
MD5: 6e2865dec3270bde9f6fecc6b34b58cb
SHA256: 9145cb3b7fe40237e5c980404ade4c862d48e2d644aeba0006ec3a6f3e9505b5
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\instrument.dll
executable
MD5: 977b4d30e7c7e7d7a8680a48100efc81
SHA256: 1a1d2c51b3db4507e4a4ad3e5afb6728e69acf9905d3df7c9dc5adbe83f7e96e
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
executable
MD5: 85f9443836bdc0e4814d080d0de00a26
SHA256: 33fe38e43821c7e7d3b46317fab571926174492affd576f6ecd06bffe7a7c1b7
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssv.dll
executable
MD5: d8bea123df9f452122d25d45904e7fa8
SHA256: 5eb2d05ffc733e7ec63cb271201f87c7724793e5b92b875551ced1cebb505f3f
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr120.dll
executable
MD5: 034ccadc1c073e4216e9466b720f9849
SHA256: 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\hprof.dll
executable
MD5: 9449e99b7e7c8a9ed74ac6b8e1ab0eb9
SHA256: cc82beaa275f4ed4c33b694154bebc5fd097ada50072201d250aed3f269a41b6
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_iio.dll
executable
MD5: 04b0bc87fdc454dcea0cff46fa01668c
SHA256: e880cd6207c687437dd2ca60008ea375bd99b1c07075674cad1052f41b631a97
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmiregistry.exe
executable
MD5: bf40067f5dafd9c46ec2f13b176433ce
SHA256: ba2d5038501cf3f3a31616a122f6cd2554d13219e717ef89c6aa1a07eb1cc145
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glib-lite.dll
executable
MD5: 7ab8afd789e45c2d08cbc3233daec0bf
SHA256: 465541ef4e9337108b375984c23f5d31e6c060fed16820bb9bc5af79a2109eac
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaws.exe
executable
MD5: 64c6a42537267f07fc6d63686e68330f
SHA256: 3514c54f5d552b2cb64b9e2f8d8c5f65807e1d49fe82689a16f6a3e7521fb437
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssvagent.exe
executable
MD5: aa5a9a9dac9f07c7d5b64a3cd2628bcd
SHA256: 4ada2d738b490cc63f3c18f151239dfde615af8a4eaf44b8021642ff9a25b8f2
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcp120.dll
executable
MD5: fd5cabbe52272bd76007b68186ebaf00
SHA256: 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kcms.dll
executable
MD5: bdd2789a8fe04e4312ee317ceb4a4d88
SHA256: 0ecd837ae93404f0aacfa6efc20f3c3ce6d1ae683e60a1c8873f07bfc8f93dc4
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java_crw_demo.dll
executable
MD5: dbad383a6f62bdd6237b55be13648064
SHA256: b34e72996d2c1a9b74a932c6259256b9001b73b3e7ef8c484afb61ff2517fba3
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunec.dll
executable
MD5: 7014836a75a5f90d18fe5e314cfaaedf
SHA256: 23b40cf8e64e1a262ef9ff5b9e01246c082eeaa6039b4b05f92e1bd536bd7166
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\mlib_image.dll
executable
MD5: 99e9b09d5863b32047c8727e6303d151
SHA256: bb13a4ea915965aca971da50d9b90cbc0a32c99900eb585c6e9e12232b448fef
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glass.dll
executable
MD5: be9d67dffcc06d2073831f5d8cde2dc0
SHA256: a92df0e1f93e29fae427da766d9b91bda4b421e6ab86aeb9cdd060b218028d35
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jawt.dll
executable
MD5: 725967c67304ef1a35a3651e1b6b80c2
SHA256: b11633c87ac49873d1e8ef5bcf9335dbe0579f483b5c745c0034f79b3fd0ae8c
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
executable
MD5: 7a1fb056a2c916b17f29abac29439a05
SHA256: 9c235bbfa97e6a8fc7e09a4ac12f84c8ed8855998410e96dd44e1b64ef951a80
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\lcms.dll
executable
MD5: 18d1893297df724dc8950691a6f0dc39
SHA256: e179ace7a6d6cffeb7540d67ef56d86a96cd16c421154b0a8b499722a4e957d9
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll
executable
MD5: 412b97d96ea9384c78851938921ee44a
SHA256: 20bef5bcd523cff21bad585af91d1c913d5535a6b20ac70f5f3d8dafb2f90f25
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfr.dll
executable
MD5: 2204f11a218cb8675e2c20d5f601f3df
SHA256: 28da2d3e61a12408b8d9f86398f9c78f551e48404bd2c7bdccd8cbd74ed5e5a3
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\tnameserv.exe
executable
MD5: 132c392d95a5a46a1508583a283d3cc7
SHA256: 9f37d44545726fb5aeb03285d3866266322b833cd1a1fde340497c7d9358f775
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\management.dll
executable
MD5: ee87a0c0cb4291612dd37cbcee6ddf72
SHA256: 035121aee1e7f257c582837e1a0bd2e240bc1d1a791354a803e5fa165be22d87
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fxplugins.dll
executable
MD5: 06fdbc35b3b4a9a36a8688030d387f56
SHA256: 1c78673777d1d48bf9e1e247bc64231817dccec4b08cc5e8c7a7fc5ae1f32501
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jdwp.dll
executable
MD5: 76cbdc3dbba3ae344a9a15839338af79
SHA256: f9a0e87300c8d094bb45834dd128e70a49d6d5d2cef20133411a769c01195c04
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack.dll
executable
MD5: acb818dfec1b72a8c75ee82ff4d8108f
SHA256: 2864b031237c6a68eedab256732e43558b5741ae4f68a07a068438469ad907d9
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ktab.exe
executable
MD5: 60ef921f2d321b36468fafb6acda65b3
SHA256: e89fe9520bcedbba20b5773598fb15e90dc828be7691adaa9d887ca585046aad
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll
executable
MD5: 6f1188df337e62427791c77ea36e6eef
SHA256: dec4f2f32edc45f70e7119c9e52c4cef44bb9aa627dbec1ee70f61d37468556b
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfxmedia.dll
executable
MD5: 724fc3a925b2f3a30f1df2926f85f5d1
SHA256: e62ec519aff414c1a81aeeb4cbf6de348b3b52ae527f14cedd42449e61fb1548
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\t2k.dll
executable
MD5: 0e2edd951a1d16c99051efa9bc5b407f
SHA256: d66f567fc2a33434063731832719cad75418c619dd30dcf6c339d2d3da32c7bb
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\klist.exe
executable
MD5: c8c94465a25d872da60b718d43af0504
SHA256: 298d8e2730a3dbe942ebe0379f7303bb2872fd7f05746851e47ed7588f541477
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll
executable
MD5: 138f156057245747692a68ebe50d52c2
SHA256: f0fd0268d6e410c05e7ee71ad9c96744cd5e4a97329f608041d7078faee24ed0
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
executable
MD5: 9e242d7c5bf0756dd450139feaf8d67e
SHA256: 8019cd10ef1a1ddae179364934d1a0304cfcfc67be2dd7bca4ee8def93a89ef4
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
executable
MD5: e0ab625ec3351a8ad7af34850e8c803c
SHA256: 161f737f9c90e67f0fb80e7cd9d6823f83bdd1d971108faa99c6088c278a4f2a
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kinit.exe
executable
MD5: 4afcab972e98ecbf855f915b2739f508
SHA256: 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll
executable
MD5: 0744e6a5145aa945d89a16eac835fab2
SHA256: c417390f681276ec0d55d81a91b87eae75ca245045f5c23e9b43550b708fb1a6
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jli.dll
executable
MD5: 22ab805e1f217ea0033f82437d2fc5db
SHA256: 45c6aa5006ebaf8ab63f26134f2753bf4f20497942de58bc734e437e2d0f32f6
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\verify.dll
executable
MD5: d8d5c97ebfa71c08fcb7e1a9edc63115
SHA256: 266d7992f7518b7cda33ba5251b0636b00ee13e6b17021311dcc1ba4dd2fc705
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\keytool.exe
executable
MD5: 4951bf5b5b159d2bc43c9b29a979c154
SHA256: 8c40c13f83ea7c95b441548a455b57edac019b1cbfd6c6a068ddad33a6476ff1
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll
executable
MD5: 720edc1469525dfcd3ae211e653d0241
SHA256: bff79fb05667992cc2bda9bae6e5a301baf553042f952203641ccd7e1fc4552d
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jjs.exe
executable
MD5: 0bece1b836681a18ff7477adae7cd970
SHA256: c4916ed2eefc2ae2394625691f5550142eda6cb33e5e713d1e203b76b2141509
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack200.exe
executable
MD5: 79c7da7fa237cbad387e8592524907dc
SHA256: a6316854fe790d22e6264ee3abc3be49686e6e36299c9718be9a20bb3e9fb185
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2iexp.dll
executable
MD5: 9e95023ed505c988ba4e94741383d428
SHA256: 5cd202cd92f33cbad11898331dec0791bf0bccf8ddf22849942debde007c3317
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll
executable
MD5: 682cfd9431e5675900b04febe6cd4eb9
SHA256: 80111e1d706741f5ef7f661835c3aa46664666425aa1b5f93103410f2bee1213
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2launcher.exe
executable
MD5: f35d9cba3fe90871eb523aad831f11b0
SHA256: d8e40564694d5a2fdd85ab5345d8589e637e387d59160a74737832670da01597
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\wsdetect.dll
executable
MD5: 9d4fc6d63df062b08882274b977edbb9
SHA256: a78345586e443e0adc6554951946ad874f61ba2ff724fa8121df546a4b21df4a
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2native.dll
executable
MD5: f39560555d06cbc2c88f94e9c96f21ee
SHA256: f5faf9f49ca7f199f572e4227896ae839596cc9f6039875f3fa3a0eaddc40084
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll
executable
MD5: 94434b8739cb5cd184c63cec209f06e2
SHA256: adf4e9ce0866ff16a16f626cfc62355fb81212b1e7c95dd908e3644f88b77e91
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2ssv.dll
executable
MD5: d1d62dcb7536ae4c338a3364f5f6f3bd
SHA256: e5328bcaec7fdba85097c04d5f4f35f648753b3378fb1d9ee6ce6965b9562e90
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
executable
MD5: 788289c1ede7337f6555cefeb9b69868
SHA256: 699e5ff6df1060df61a32e99c8fc52837f40f774bfa88136af10036f4dd4a578
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsoundds.dll
executable
MD5: c96099a6d84497e6cb58e97c9d5b76c3
SHA256: b534c43f203c5502e43a5d0fdbfbd9422de342aade635009fab791eb82f3c020
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll
executable
MD5: 775d4b37e0ddbfa0eb56db38126fb444
SHA256: e5d4fc7d47a38a389884af1ea5f06f7c61c5cde6afc154a23a3cb5a127da1e34
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsdt.dll
executable
MD5: dbb92d51eb213d56c5d01052834e9183
SHA256: fe5d22121d6a683bb87b362da85cabf8aead1c171d347d0a16da64c74dd8a3bc
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\zip.dll
executable
MD5: 7a1f4ed63a22d079f9739c1cf5c9b253
SHA256: 9a7251883229ccc36859b02894b541a369c2426a9b5cbdc7e8a10db36f13451e
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsound.dll
executable
MD5: cfe7513e5805ec5664ead9f86bfe91f2
SHA256: 5303366d9447a7610bd971339f27333767d399fca0a3f01154b082d47bd0a46e
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jpeg.dll
executable
MD5: ec93a126e1db9503fc1ff9b49856fa3c
SHA256: 8cf3344453c02bf21ff8c79a6189f25617ca38cee2632766d0aa4ee07277bc25
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\pack200.exe
executable
MD5: 6cb276cacfc4181e4b648206790d25af
SHA256: 3047b67b36aee78b669fdedfe423e750b125837d92abcdc06983c34c65db71fc
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
executable
MD5: 28d020770921def13b9a8755feadf8e9
SHA256: 379a14d561afeb364f8902c0b5193da229882c6273f2793339e1ad682af516f4
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\README.txt
text
MD5: 0f1123976b959ac5e8b89eb8c245c4bd
SHA256: 963095cf8db76fb8071fd19a3110718a42f2ab42b27a3adfd9ec58981c3e88d2
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfxwebkit.dll
––
MD5:  ––
SHA256:  ––
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\classes.jsa
––
MD5:  ––
SHA256:  ––
2840
javaw.exe
C:\Users\admin\MnDUThwnuWt\zFIfZwxPmWf.paBrKK
java
MD5: a0b52c4568cd247fa59bf99815ad1852
SHA256: 6868ac1c75d13ccb24c6ffada8c8259edcb139f9e717d4e4c412f2bc0c0c9a41
3632
javaw.exe
C:\Users\admin\.oracle_jre_usage\82de497bd14093d8.timestamp
text
MD5: 5f7601804a3909e7daa20f04e35d819a
SHA256: 4f7ff4f6139c36d3b50faf7da1a560156d6793c8005641d90141df9a3c1455ce
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\management.properties
text
MD5: 81a43119ab15099c1d70e2d683fc8c0a
SHA256: fcacfa57ce3fe6372c2273abc032a1320be021af42553e2104db9937b6771783
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\snmp.acl.template
text
MD5: 71a7de7dbe2977f6ece75c904d430b62
SHA256: f1dc97da5a5d220ed5d5b71110ce8200b16cac50622b33790bb03e329c751ced
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.password.template
text
MD5: 7b46c291e7073c31d3ce0adae2f7554f
SHA256: 3d83e336c9a24d09a16063ea1355885e07f7a176a37543463596b5db8d82f8fa
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.access
text
MD5: f63bea1f4a31317f6f061d83215594df
SHA256: 439158eb513525feda19e0e4153ccf36a08fe6a39c0c6ceeb9fcee86899dd33c
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\profile.jfc
xml
MD5: 8b5c309810d64a8c62e7cdc6436f97a9
SHA256: f70e4c858a96603de6c042ea796300c232953aab17579ff4e7a47fe9ffe17c26
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
image
MD5: 694a59efde0648f49fa448a46c4d8948
SHA256: 485cbe5c5144cfcd13cc6d701cdab96e4a6f8660cbc70a0a58f1b7916be64198
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\default.jfc
xml
MD5: 41d5cd8db1f75101304308a9ee3612ff
SHA256: 0c8cd372c548e4ddcbb0fa8cd6fca09d65ec312d784f495be19baf1bf06c57f3
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
image
MD5: cc8dd9ab7ddf6efa2f3b8bcfa31115c0
SHA256: 12cfce05229dba939ce13375d65ca7d303ce87851ae15539c02f11d1dc824338
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
text
MD5: ab9db8d553033c0326bd2d38d77f84c1
SHA256: 38995534df44e0526f8c8c8d479c778a4b34627cfd69f19213cfbe019a7261ba
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\release
text
MD5: 1bccc3a965156e53be3136b3d583b7b6
SHA256: 03a4db27dea69374efbaf121c332d0af05840d16d0c1fbf127d00e65054b118a
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
text
MD5: 745d6db5fc58c63f74ce6a7d4db7e695
SHA256: c77ba9f668fee7e9b810f1493e518adf87233ac8793e4b37c9b3d1ed7846f1c0
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\Welcome.html
html
MD5: 27cf299b6d93faca73fbcdcf4aecfd93
SHA256: 3f1f0ee75588dbba3b143499d08aa9ab431e4a34e483890cfac94a8e1061b7cf
2768
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive2451347384801487964.vbs
––
MD5:  ––
SHA256:  ––
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\LICENSE
text
MD5: 98f46ab6481d87c4d77e0e91a6dbc15f
SHA256: 23f9a5c12fa839650595a32872b7360b9e030c7213580fb27dd9185538a5828c
3300
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\COPYRIGHT
text
MD5: 89f660d2b7d58da3efd2fecd9832da9c
SHA256: f6a08c9cc04d7c6a86576c1ef50dd0a690ae5cb503efd205edb2e408bd8d557b
2768
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive7988252353073535831.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
2840
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive4055006280000470612.vbs
text
MD5: a32c109297ed1ca155598cd295c26611
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
2840
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive1230924861210978264.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
2768
java.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: 945f3d082118ee93d97c92289093ab55
SHA256: 6162a8e63a7ef244696e9a1e930ec1871395f6aff40b02b229075760b97146d3
2840
javaw.exe
C:\Users\admin\AppData\Local\Temp\_0.5095062297411482163979030849212189.class
java
MD5: 781fb531354d6f291f1ccab48da6d39f
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
2840
javaw.exe
C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: c8366ae350e7019aefc9d1e6e6a498c6
SHA256: 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
2840
javaw.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: f6a859c9d6051259b29fe8b5ff4c742d
SHA256: 5ca6350994e0f3a1d659ace31cee9a6492741ad5dfa4557f990c2d8cce72a68e
3528
cmd.exe
C:\Users\admin\AppData\Local\Temp\output.txt
text
MD5: fcf81edeae4e8c13e8b099a9ee455e27
SHA256: 0ccc5ddb797429e5625aedb2ecee3f42e97221264cd69d5ff53a094f72fe5d7b
2204
javaw.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: f24a5140ee9b62e19a29c6f75375ad95
SHA256: e5b5e59e8ed618c3162746510f9ac3da503daf0a141dcdeac8830bee4ec80205
2740
WScript.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nOEIXYweyr.vbs
text
MD5: f5335aa5eb922d7d3efb290453fa45f7
SHA256: 055eec0f62c712dad78c47bcc82e5fd7906918cb6603af786d0f610b4819d675
3228
wscript.exe
C:\Users\admin\AppData\Roaming\ntfsmgr.jar
java
MD5: a0b52c4568cd247fa59bf99815ad1852
SHA256: 6868ac1c75d13ccb24c6ffada8c8259edcb139f9e717d4e4c412f2bc0c0c9a41
3228
wscript.exe
C:\Users\admin\AppData\Roaming\nOEIXYweyr.vbs
text
MD5: f5335aa5eb922d7d3efb290453fa45f7
SHA256: 055eec0f62c712dad78c47bcc82e5fd7906918cb6603af786d0f610b4819d675
3708
javaw.exe
C:\Users\admin\auqtoxxxcf.vbs
text
MD5: c6c7188b62ba55f61079905e440bec5d
SHA256: f675909d117b16e8fffac9549952e60a1c92059e613af4886dc6fc2efec29111
3708
javaw.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
text
MD5: 56b384916a58966e0b50bd375004c9b7
SHA256: d6f658313a46d7dcf7529bb82aa913a710d48209ebd8aa89d94d2d9bb2bd0e8d
3468
WinRAR.exe
C:\Users\admin\Desktop\jre-8u201-windows-x64.jar
compressed
MD5: 7c1fce87f5e2edc6d659779ea764db83
SHA256: bf9e93cf79a31e582bc70e817fbb7036edd07fc8a353358a1ada2d4eb7420d5a
3468
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3468.20105\jre-8u201-windows-x64.jar
compressed
MD5: 7c1fce87f5e2edc6d659779ea764db83
SHA256: bf9e93cf79a31e582bc70e817fbb7036edd07fc8a353358a1ada2d4eb7420d5a

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
4
TCP/UDP connections
2
DNS requests
0
Threats
12

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2740 WScript.exe POST 404 5.206.225.115:7788 http://5.206.225.115:7788/is-ready NL
xml
malicious
2740 WScript.exe POST 404 5.206.225.115:7788 http://5.206.225.115:7788/is-ready NL
xml
malicious
2740 WScript.exe POST –– 5.206.225.115:7788 http://5.206.225.115:7788/is-ready NL
––
––
malicious
–– –– POST 404 5.206.225.115:7788 http://5.206.225.115:7788/is-ready NL
xml
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2740 WScript.exe 5.206.225.115:7788 Dotsi, Unipessoal Lda. NL malicious
–– –– 5.206.225.115:7788 Dotsi, Unipessoal Lda. NL malicious

DNS requests

No DNS requests.

Threats

PID Process Class Message
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2740 WScript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2740 WScript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
2740 WScript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
2740 WScript.exe A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan
–– –– A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
–– –– A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
–– –– A Network Trojan was detected MALWARE [PTsecurity] Dunihi VBS.Downloader.Trojan

Debug output strings

No debug info.