General Info

File name

jenqtgIyHB_newaso-1.vbs

Full analysis
https://app.any.run/tasks/5b3a80a3-e16c-4ff3-8990-619fb98dce2c
Verdict
Malicious activity
Analysis date
1/11/2019, 12:44:15
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

adwind

trojan

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines
MD5

d060268ac9ded5aef4ef02ec8746b855

SHA1

b7ddadaef636f912e57a522b952ebba81f208e94

SHA256

97d49480df6ccb207504396edd8c99a342ffd4ca8f14a2c3b46054628fbbfb92

SSDEEP

12288:G6N6PsB9/Sv1Im0xdCP3EG8m6UHd8J01N7mVXpVLlMnaNhUmj6EZ9e/g4S6K3CeI:GMCwRy0C0GyUc077aXOpnECI4SHK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • explorer.exe (PID: 116)
  • java.exe (PID: 3076)
  • WScript.exe (PID: 2960)
  • cmd.exe (PID: 3128)
  • javaw.exe (PID: 3752)
  • javaw.exe (PID: 3344)
  • javaw.exe (PID: 3888)
  • java.exe (PID: 3816)
Actions looks like stealing of personal data
  • explorer.exe (PID: 116)
AdWind was detected
  • java.exe (PID: 3076)
  • java.exe (PID: 3816)
ADWIND was detected
  • javaw.exe (PID: 3752)
Application was dropped or rewritten from another process
  • java.exe (PID: 3076)
  • javaw.exe (PID: 3344)
  • javaw.exe (PID: 3752)
  • java.exe (PID: 3816)
  • javaw.exe (PID: 3888)
Changes the autorun value in the registry
  • reg.exe (PID: 3380)
  • WScript.exe (PID: 2960)
  • WScript.exe (PID: 2336)
Writes to a start menu file
  • WScript.exe (PID: 2336)
Creates files in the user directory
  • notepad++.exe (PID: 2168)
  • WScript.exe (PID: 2336)
  • javaw.exe (PID: 3344)
  • WScript.exe (PID: 2960)
  • xcopy.exe (PID: 3732)
Executes scripts
  • cmd.exe (PID: 2308)
  • cmd.exe (PID: 2196)
  • cmd.exe (PID: 1748)
  • cmd.exe (PID: 2316)
  • cmd.exe (PID: 3108)
  • cmd.exe (PID: 3060)
  • cmd.exe (PID: 308)
  • cmd.exe (PID: 2464)
  • explorer.exe (PID: 116)
  • WScript.exe (PID: 2960)
Starts CMD.EXE for commands execution
  • java.exe (PID: 3076)
  • javaw.exe (PID: 3752)
  • java.exe (PID: 3816)
  • javaw.exe (PID: 3344)
  • WScript.exe (PID: 2960)
Connects to unusual port
  • javaw.exe (PID: 3752)
Executable content was dropped or overwritten
  • javaw.exe (PID: 3752)
  • xcopy.exe (PID: 3732)
Uses ATTRIB.EXE to modify file attributes
  • javaw.exe (PID: 3344)
Starts itself from another location
  • javaw.exe (PID: 3344)
Uses REG.EXE to modify Windows registry
  • javaw.exe (PID: 3344)
Executes JAVA applets
  • cmd.exe (PID: 3128)
  • javaw.exe (PID: 3344)
  • WScript.exe (PID: 2960)
Application launched itself
  • WScript.exe (PID: 2960)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
88
Monitored processes
34
Malicious processes
9
Suspicious processes
1

Behavior graph

+
start wscript.exe wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe no specs java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs xcopy.exe cmd.exe no specs cscript.exe no specs reg.exe attrib.exe no specs attrib.exe no specs #ADWIND javaw.exe java.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs wmic.exe no specs notepad++.exe gup.exe notepad.exe no specs explorer.exe notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
116
CMD
C:\Windows\Explorer.EXE
Path
C:\Windows\explorer.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wscript.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\bdeunlockwizard.exe
c:\windows\system32\searchfolder.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\mssvp.dll
c:\windows\system32\mapi32.dll
c:\program files\microsoft office\office14\mapishell.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\1033\mapishellr.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\windows\system32\twext.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\zipfldr.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\sendmail.dll
c:\windows\system32\mydocs.dll
c:\windows\system32\wfsr.dll
c:\program files\notepad++\notepad++.exe
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\wshext.dll
c:\windows\system32\notepad.exe
c:\users\admin\appdata\local\temp\windows3985067333209210860.dll

PID
2960
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\jenqtgIyHB_newaso-1.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
2336
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll

PID
3128
CMD
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\program files\java\jre1.8.0_92\bin\java.dll

PID
3888
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll

PID
3344
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
Path
C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xcopy.exe
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\users\admin\appdata\roaming\oracle\bin\java.dll

PID
3816
CMD
"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\AppData\Local\Temp\_0.92975766311239084736571209146325359.class
Path
C:\Program Files\Java\jre1.8.0_92\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\program files\java\jre1.8.0_92\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\program files\java\jre1.8.0_92\bin\verify.dll
c:\program files\java\jre1.8.0_92\bin\java.dll
c:\program files\java\jre1.8.0_92\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\program files\java\jre1.8.0_92\bin\sunec.dll
c:\program files\java\jre1.8.0_92\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\java\jre1.8.0_92\bin\nio.dll
c:\program files\java\jre1.8.0_92\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\program files\java\jre1.8.0_92\bin\management.dll
c:\program files\java\jre1.8.0_92\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
308
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1114622237184961528.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cscript.exe

PID
2796
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1114622237184961528.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2464
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4596543679496563502.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2916
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive4596543679496563502.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3108
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5468907058527888957.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2128
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive5468907058527888957.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3732
CMD
xcopy "C:\Program Files\Java\jre1.8.0_92" "C:\Users\admin\AppData\Roaming\Oracle\" /e
Path
C:\Windows\system32\xcopy.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Extended Copy Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\xcopy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3060
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1493447988114851523.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3804
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive1493447988114851523.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3380
CMD
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v MFHMpIvWAxs /t REG_EXPAND_SZ /d "\"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\admin\jZOkYHeFpOU\USiOzNLmhfc.IkTbjA\"" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3236
CMD
attrib +h "C:\Users\admin\jZOkYHeFpOU\*.*"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2484
CMD
attrib +h "C:\Users\admin\jZOkYHeFpOU"
Path
C:\Windows\system32\attrib.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Attribute Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\attrib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ulib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3752
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\admin\jZOkYHeFpOU\USiOzNLmhfc.IkTbjA
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\users\admin\appdata\roaming\oracle\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\roaming\oracle\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\users\admin\appdata\local\temp\windows3985067333209210860.dll
c:\windows\system32\vga.dll

PID
3076
CMD
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\admin\AppData\Local\Temp\_0.92356196755314895831177030028162598.class
Path
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
Indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Oracle Corporation
Description
Java(TM) Platform SE binary
Version
8.0.920.14
Modules
Image
c:\users\admin\appdata\roaming\oracle\bin\java.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\roaming\oracle\bin\msvcr100.dll
c:\users\admin\appdata\roaming\oracle\bin\client\jvm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\roaming\oracle\bin\verify.dll
c:\users\admin\appdata\roaming\oracle\bin\java.dll
c:\users\admin\appdata\roaming\oracle\bin\zip.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\roaming\oracle\bin\sunec.dll
c:\users\admin\appdata\roaming\oracle\bin\net.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\users\admin\appdata\roaming\oracle\bin\nio.dll
c:\users\admin\appdata\roaming\oracle\bin\awt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\roaming\oracle\bin\management.dll
c:\users\admin\appdata\roaming\oracle\bin\sunmscapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2196
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive584406034362763191.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
2728
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive584406034362763191.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imm32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
1748
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7585012980263568154.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3716
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive7585012980263568154.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2316
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6577381704930438124.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3024
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive6577381704930438124.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2308
CMD
cmd.exe /C cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8392861628791905762.vbs
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
java.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cscript.exe
c:\windows\system32\apphelp.dll

PID
3172
CMD
cscript.exe C:\Users\admin\AppData\Local\Temp\Retrive8392861628791905762.vbs
Path
C:\Windows\system32\cscript.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Console Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\cscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3288
CMD
WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Path
C:\Windows\System32\Wbem\WMIC.exe
Indicators
No indicators
Parent process
javaw.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\xml\wmi2xml.dll

PID
2168
CMD
"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT"
Path
C:\Program Files\Notepad++\notepad++.exe
Indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Don HO [email protected]
Description
Notepad++ : a free (GNU) source code editor
Version
7.51
Modules
Image
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\notepad++\scilexer.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\program files\notepad++\updater\gup.exe
c:\windows\system32\windowscodecs.dll
c:\program files\notepad++\plugins\mimetools.dll
c:\program files\notepad++\plugins\nppconverter.dll
c:\program files\notepad++\plugins\nppexport.dll

PID
1884
CMD
"C:\Program Files\Notepad++\updater\gup.exe" -v7.51
Path
C:\Program Files\Notepad++\updater\gup.exe
Indicators
Parent process
notepad++.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Don HO [email protected]
Description
GUP : a free (LGPL) Generic Updater
Version
4.1
Modules
Image
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\normaliz.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll

PID
2132
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\output.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

PID
864
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\StructuredQuery.log
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
explorer.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll

Registry activity

Total events
52542
Read events
51879
Write events
663
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2960
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ntfsmgr
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"
3380
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
MFHMpIvWAxs
"C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\admin\jZOkYHeFpOU\USiOzNLmhfc.IkTbjA"
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\UwwogLCzsN
false - 1/11/2019
2336
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
UwwogLCzsN
wscript.exe //B "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs"
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
UwwogLCzsN
wscript.exe //B "C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs"
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableFileTracing
0
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
EnableConsoleTracing
0
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileTracingMask
4294901760
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
ConsoleTracingMask
4294901760
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
MaxFileSize
1048576
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
FileDirectory
%windir%\tracing
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableFileTracing
0
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
EnableConsoleTracing
0
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileTracingMask
4294901760
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
ConsoleTracingMask
4294901760
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
MaxFileSize
1048576
2336
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
FileDirectory
%windir%\tracing
2336
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2336
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2336
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2336
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ApplicationDestinations
MaxEntries
15
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0100000000000000020000000700000006000000030000000500000004000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
Locked
1
116
explorer.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Client\ServiceStartup
UuidSequenceNumber
14072536
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\BdeUnlockWizard.exe,-100
&Unlock Drive...
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{65F125E5-7BE1-4810-BA9D-D271C8432CE3}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
6
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
2
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616209
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
48
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A000000A000000030F125B7EF471A10A5F102608C9EEBAC04000000C8000000354B179BFF40D211A27E00C04FC308710300000080000000354B179BFF40D211A27E00C04FC308710200000080000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupCollapseState
000000000000000000000000000000000000000000000000000000000000000001000000110000000000000011000000480061007200640020004400690073006B0020004400720069007600650073000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
4294967295
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{B725F130-47EF-101A-A5F1-02608C9EEBAC}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\27\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\GlobalSettings\ProperTreeModuleInner
ProperTreeModuleInner
94000000900000003153505305D5CDD59C2E1B10939708002B2CF9AE4100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00003300000022000000004E0061007600500061006E0065005F0046006900720073007400520075006E0000000B000000000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
ExpandedState
06000000160014001F8080A63C324DC29940B94D446DD2D7249E0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F4225481E03947BC34DB131E946B44C8DD50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F43983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000000000000002000000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
MRUListEx
0000000001000000020000000400000003000000FFFFFFFF
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\Directory\OpenWithProgids
File Folder
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\34\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0
NodeSlot
95
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell
KnownFolderDerivedFolderType
{57807898-8C4F-4462-BB63-71042380B109}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\54\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MinPos1280x720x96(1).x
4294967295
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MinPos1280x720x96(1).y
4294967295
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MaxPos1280x720x96(1).x
4294967295
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
MaxPos1280x720x96(1).y
4294967295
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).left
22
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).top
22
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).right
822
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WinPos1280x720x96(1).bottom
582
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
WFlags
2
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
ShowCmd
3
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
HotKey
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
NavBar
000000000000000000000000000000008B000000870000003153505305D5CDD59C2E1B10939708002B2CF9AE6B0000005A000000007B00360044003800420042003300440033002D0039004400380037002D0034004100390031002D0041004200350036002D003400460033003000430046004600450046004500390046007D005F0057006900640074006800000013000000F00000000000000000000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
000000000600000009000000A5180400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D000000F7791500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\95\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0
MRUListEx
0100000000000000FFFFFFFF
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\73\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
000000000600000009000000B1860400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D00000003E81500090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Abgrcnq++\abgrcnq++.rkr
000000000000000000000000E6200000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003D000000E9081600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000060000000A000000B1860400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002E0000003E000000E9081600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1
4
46003100000000001C4D7362102043454600340008000400EFBE1C4D73621C4D73622A000000AAC80000000003000000000000000000000000000000430045004600000012000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1
MRUListEx
0400000003000000020000000100000000000000FFFFFFFF
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\4
NodeSlot
96
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\4
MRUListEx
FFFFFFFF
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell
KnownFolderDerivedFolderType
{57807898-8C4F-4462-BB63-71042380B109}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\74\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Rev
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616193
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Vid
{137E7700-3573-11CF-AE69-08002B2E1262}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\96\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1
MRUListEx
0000000004000000030000000200000001000000FFFFFFFF
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\39\Shell
SniffedFolderType
Generic
116
explorer.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\wshext.dll,-4802
VBScript Script File
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids
txtfile
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\ABGRCNQ.RKR
00000000010000000000000000000000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFB012B5AFA3A9D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000E9081600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList
a
NOTEPAD.EXE
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000060000000A000000DABB0400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000123E1600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000A000000DABB04007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000006BB6EE7564E837028CEA37021870800004EE37027CB6EE758CEA37027E708000000000007E708000489B080643003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E00650064005C005400610073006B004200610072005C004F007000650072006100310032002E0031003500200031003700340038002E006C006E006B00000000000000000000000000000002003600FD1A00D20000000000000000A86D760000000000160000000000000005000000181FF0022066750011000000B8457800B04578002380B109FCE900002251A06BACE937028291F075FCE93702B0E937022795F075000000005459EE02D8E93702CD94F0755459EE0284EA3702C854EE02E194F07500000000C854EE0284EA3702E0E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\abgrcnq.rkr
000000000100000000000000D9100000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFB012B5AFA3A9D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003E000000EB4E1600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000A000000DABB04007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000006BB6EE7564E837028CEA37021870800004EE37027CB6EE758CEA37027E708000000000007E708000489B080643003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E00650064005C005400610073006B004200610072005C004F007000650072006100310032002E0031003500200031003700340038002E006C006E006B00000000000000000000000000000002003600FD1A00D20000000000000000A86D760000000000160000000000000005000000181FF0022066750011000000B8457800B04578002380B109FCE900002251A06BACE937028291F075FCE93702B0E937022795F075000000005459EE02D8E93702CD94F0755459EE0284EA3702C854EE02E194F07500000000C854EE0284EA3702E0E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000060000000B000000DABB0400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
000000002F0000003F000000EB4E1600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000B000000DABB04007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C006E006F00740065007000610064002E0065007800650000006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005300740061007200740020004D0065006E0075005C00500072006F006700720061006D0073005C004100630063006500730073006F0072006900650073005C004E006F00740065007000610064002E006C006E006B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E72F0A77CFB925750000000011000000B8457800B04578002380B1090400A0014301000000EA00002A51A06BB4E937028291F07500EA3702B8E937022795F075000000005459EE02E0E93702CD94F0755459EE02C854EE0284EA3702E194F07500000000C854EE0284EA3702E8E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
dllfile
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\ABGRCNQ.RKR
000000000200000000000000D9100000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF201544B8A3A9D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000300000003F000000EB4E1600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000B000000DABB04007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C006E006F00740065007000610064002E0065007800650000006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005300740061007200740020004D0065006E0075005C00500072006F006700720061006D0073005C004100630063006500730073006F0072006900650073005C004E006F00740065007000610064002E006C006E006B00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E72F0A77CFB925750000000011000000B8457800B04578002380B1090400A0014301000000EA00002A51A06BB4E937028291F07500EA3702B8E937022795F075000000005459EE02E0E93702CD94F0755459EE02C854EE0284EA3702E194F07500000000C854EE0284EA3702E8E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList
a
NOTEPAD.EXE
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList
MRUList
a
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000060000000B00000009E30400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000300000003F0000001A761600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000B00000009E304007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000006BB6EE7564E837028CEA37021870800004EE37027CB6EE758CEA37027E708000000000007E708000D099FB0543003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E00650064005C005400610073006B004200610072005C004F007000650072006100310032002E0031003500200031003700340038002E006C006E006B00000000000000000000000000000005000200E30B00000000000000000000C0A176000000000016000000000000000600000090B02D032066750011000000B8457800B04578002380B109FCE900002251A06BACE937028291F075FCE93702B0E937022795F075000000005459EE02D8E93702CD94F0755459EE0284EA3702C854EE02E194F07500000000C854EE0284EA3702E0E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithProgids
txtfile
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{Q65231O0-O2S1-4857-N4PR-N8R7P6RN7Q27}\abgrcnq.rkr
000000000200000000000000241C0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF201544B8A3A9D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000300000003F00000065811600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000B00000009E304007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000006BB6EE7564E837028CEA37021870800004EE37027CB6EE758CEA37027E708000000000007E708000D099FB0543003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E00650064005C005400610073006B004200610072005C004F007000650072006100310032002E0031003500200031003700340038002E006C006E006B00000000000000000000000000000005000200E30B00000000000000000000C0A176000000000016000000000000000600000090B02D032066750011000000B8457800B04578002380B109FCE900002251A06BACE937028291F075FCE93702B0E937022795F075000000005459EE02D8E93702CD94F0755459EE0284EA3702C854EE02E194F07500000000C854EE0284EA3702E0E93702
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\rkcybere.rkr
00000000060000000C00000009E30400000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF6012F7D45C48D40100000000
116
explorer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
HRZR_PGYFRFFVBA
00000000300000004000000065811600090000000B000000DCC402007B00370043003500410034003000450046002D0041003000460042002D0034004200460043002D0038003700340041002D004300300046003200450030004200390046004100380045007D005C00410064006F00620065005C004100630072006F0062006100740020005200650061006400650072002000440043005C005200650061006400650072005C004100630072006F0052006400330032002E0065007800650000000000D09866060000000034E82802C05D5A740200000002000000000C00940F000000E8E82802010000000400000001000000010000006B001001D098660605000000D098660602020000E20101AE2B51EA0088E7280239B58D76E20101AE24E82802130000000400000030000000120000001D000000130000001D0000000E00000012000000020000003200000014000000E387EE7A38E82802F3AE5B7400574100E20101AE010000000000000011000000F0443500E8443500A14A52740000000020E800001F51EA7AD0E728028291917520E828028CD800006B51EA7AE4E72802B69C917590D8D4035C0000000401000084F2280244F228026B4E317411000000F0443500E8443500A8EAD403FA4F31740000000074E80000AB5EEA7A24E828028291917574E8280228E8280227959175000000008CD8D40350E82802CD9491758CD8D403FCE8280200D4D403E19491750000000000D4D403FCE8280258E82802000000000E0000005DEC04007B00440036003500320033003100420030002D0042003200460031002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C007400610073006B006D00670072002E0065007800650000003702000008023CE23702350100C082BAD075B048D4750200000001000000A048D4750100000068E23702C5B8D075A848D47501000000C81008000000000090E237026BB9D07500000000350100C001000000B0E23702973CB8779C3CB877F58CF77501000000350100C00000000088E23702FFFFFFFFF8E23702EDE0B47745727800FEFFFFFFC0E237020D6BD075A0E737028CE8370200000000F8E23702973CB8779C3CB877BD8CF775000000008CE83702A0E73702D0E237020100000070E73702EDE0B47745727800FEFFFFFF08E337020D6BD0757E0000008CE8370280E73702F36BD075E186D0752794C6128CE8370210000000570104003E0040008CE83702A0E73702000000000000000000000000000008025CE537020000080254E33702350100C000000000D8E637023200000018000000000000000000000088E3370211000000B8450B00B0450B0032000000D8E63702F0E300009B1EC112A0E3370282919576F0E33702A4E3370227959576000000006C155002CCE33702CD9495766C15500278E43702E0105002E194957600000000E010500278E43702D4E33702060000000C00000009E304007B00460033003800420046003400300034002D0031004400340033002D0034003200460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E0065007800650000002D0034003800350037002D0041003400430045002D004100380045003700430036004500410037004400320037007D005C006E006F00740065007000610064002E0065007800650000006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005300740061007200740020004D0065006E0075005C00500072006F006700720061006D0073005C004100630063006500730073006F0072006900650073005C004E006F00740065007000610064002E006C006E006B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000750011000000B8457800B04578002380B10900007B000000000000EA00002A51A06BB4E937028291F07500EA3702B8E937022795F075000000005459EE02E0E93702CD94F0755459EE02C854EE0284EA3702E194F07500000000C854EE0284EA3702E8E93702
2132
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
110
2132
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
110
2132
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
2132
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501
2168
notepad++.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2168
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2168
notepad++.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3752
javaw.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
javaw.exe

Files activity

Executable files
111
Suspicious files
10
Text files
83
Unknown types
15

Dropped files

PID
Process
Filename
Type
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
executable
MD5: 552aac2111a39f27bad9293d3be57345
SHA256: d1deaa4b7feebfeed58eda969c9fb9bc5791ad7e67f47c596280375cbda3f46f
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.cpl
executable
MD5: cd05e44e94beac05b27a6aa25e51a4c6
SHA256: e3259bb7ef907c0bb74e192e40e57fdf96c903bbc580975348dfef42839669ff
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmid.exe
executable
MD5: 4cf042cf43f9a5c0be43a263d987c0f3
SHA256: 6513c40184d496e86e34e327c960b06d20900c3092084a708d890f5376c43cf5
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
executable
MD5: deee2457bde2311f3c24d1b2257364f0
SHA256: ed68df1e549a092674259b1f806a31839ca426572020a7dbe0c46e492b272ec9
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\resource.dll
executable
MD5: 2999d73f5764b3ac8c43e756391b09ea
SHA256: 15b4fdfe5ddb1820ddc468ac5d0e65045ca6aaea21d3a5a66ecaa8fc1ce48835
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_d3d.dll
executable
MD5: fb3c4f45e3f7d365c282062ddda1614d
SHA256: f9108ac2555dbc5a6b43cc9504394089be60eae4127397dc651e06b3e7585b00
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\rmiregistry.exe
executable
MD5: bf40067f5dafd9c46ec2f13b176433ce
SHA256: ba2d5038501cf3f3a31616a122f6cd2554d13219e717ef89c6aa1a07eb1cc145
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.dll
executable
MD5: 0649a7b16b9f472bb9db8a6d2041cf6c
SHA256: 30a048a35865ca5bcea35ebecf7f01f08e8d20b0c4a3e9e0132540815eda1d89
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\servertool.exe
executable
MD5: 7ec73dab19a45049c9d003383086b631
SHA256: bbe145615886dbb3f4ada7617d1a15fe2aee6cea5dbe34e9c216d1bde1121891
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pkcs11.dll
executable
MD5: bfbf13215d29658ff8c8122efa95e16d
SHA256: 91b6e445f5b4510c9d66641b1eed925f54dc2e84f3ddb0ff16ed5b0ac4bdc977
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\splashscreen.dll
executable
MD5: 20e2531c9f14c7c5846191e131645cfc
SHA256: a6ea1b705acdda1bb3cd1c3cdcbfe7c86c81654537db8b48f65a781578ffbd77
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
executable
MD5: 85f9443836bdc0e4814d080d0de00a26
SHA256: 33fe38e43821c7e7d3b46317fab571926174492affd576f6ecd06bffe7a7c1b7
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\j2pcsc.dll
executable
MD5: 54ede8c09212070f6a6ac4a99c91d9a9
SHA256: 7a9f32ecba3dcaeb653293780812969e2534da7b8e652a24e56271cd088c7a36
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\policytool.exe
executable
MD5: 35f95392b3283b90d1f581d4766ed48f
SHA256: d81308da68136fd421eb56fa2b586ec6801ccf0827d85f495227e6d6c40fc69e
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssv.dll
executable
MD5: d8bea123df9f452122d25d45904e7fa8
SHA256: 5eb2d05ffc733e7ec63cb271201f87c7724793e5b92b875551ced1cebb505f3f
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_iio.dll
executable
MD5: 04b0bc87fdc454dcea0cff46fa01668c
SHA256: e880cd6207c687437dd2ca60008ea375bd99b1c07075674cad1052f41b631a97
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jabswitch.exe
executable
MD5: 117b4d5106cc919c29404a5904ab941b
SHA256: a764db727ed6ec056ffe163dbb83db0ad0bd15b83181288c3afcd17a35e7d587
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_common.dll
executable
MD5: 1651ec53b5204c983348de8cacc4e1f9
SHA256: 5264316be4820cbc940e0c277698e6f95ec99a52023e5ef85c3fbe624b45cdaf
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunec.dll
executable
MD5: 7014836a75a5f90d18fe5e314cfaaedf
SHA256: 23b40cf8e64e1a262ef9ff5b9e01246c082eeaa6039b4b05f92e1bd536bd7166
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javacpl.exe
executable
MD5: be337576c806c65d53cb6a7673cde00b
SHA256: e7521e54f241e99bb5f7f2de1cd2fc49f3980dc43eb6c5b8fa251178f03616ef
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jaas_nt.dll
executable
MD5: cb36d7042e9135bb5721484f7d6a5340
SHA256: e700d076614943e138b69f4a1f177914225ca35b93fed8b43bc4a86cfd87c59c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\prism_sw.dll
executable
MD5: b257ff6fb051a023a1482049c7cfe242
SHA256: 3f976b7efc9fe59abfe0bcde0d3b5af1cf133c64ad1508cb4a00cf2c104f5e81
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ssvagent.exe
executable
MD5: aa5a9a9dac9f07c7d5b64a3cd2628bcd
SHA256: 4ada2d738b490cc63f3c18f151239dfde615af8a4eaf44b8021642ff9a25b8f2
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javafx_font.dll
executable
MD5: a65e9dbf93159c723f22cbd85f544269
SHA256: eada27806ccbf4d015f35f369b6880ef3dcc2eaa3b1ca89546fbdba8b05d9b5c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java-rmi.exe
executable
MD5: 556ad8153ad374007ec9d3f489b66e88
SHA256: 2ba8cd9a3757ecf0b8b7de612d7f827de73f7e9da114b1979fe9d429a46f8109
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\pack200.exe
executable
MD5: 6cb276cacfc4181e4b648206790d25af
SHA256: 3047b67b36aee78b669fdedfe423e750b125837d92abcdc06983c34c65db71fc
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\tnameserv.exe
executable
MD5: 132c392d95a5a46a1508583a283d3cc7
SHA256: 9f37d44545726fb5aeb03285d3866266322b833cd1a1fde340497c7d9358f775
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaw.exe
executable
MD5: 8cc8fe84f3d67f805d7e4f05ccff8ee8
SHA256: 11054aa4170990ad1d345a2caf15285f3157e4bf240015cc20431b7373a52fc2
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\instrument.dll
executable
MD5: 977b4d30e7c7e7d7a8680a48100efc81
SHA256: 1a1d2c51b3db4507e4a4ad3e5afb6728e69acf9905d3df7c9dc5adbe83f7e96e
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\npt.dll
executable
MD5: 6e2865dec3270bde9f6fecc6b34b58cb
SHA256: 9145cb3b7fe40237e5c980404ade4c862d48e2d644aeba0006ec3a6f3e9505b5
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\t2k.dll
executable
MD5: 0e2edd951a1d16c99051efa9bc5b407f
SHA256: d66f567fc2a33434063731832719cad75418c619dd30dcf6c339d2d3da32c7bb
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java_crw_demo.dll
executable
MD5: dbad383a6f62bdd6237b55be13648064
SHA256: b34e72996d2c1a9b74a932c6259256b9001b73b3e7ef8c484afb61ff2517fba3
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glib-lite.dll
executable
MD5: 7ab8afd789e45c2d08cbc3233daec0bf
SHA256: 465541ef4e9337108b375984c23f5d31e6c060fed16820bb9bc5af79a2109eac
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\orbd.exe
executable
MD5: 9d1e898f5892eb35346e1c38c38395e5
SHA256: 0f8cae56647464d75d2530cc9f7205c69911fced55e43a39d86ff4d435a018ed
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\sunmscapi.dll
executable
MD5: 7a1fb056a2c916b17f29abac29439a05
SHA256: 9c235bbfa97e6a8fc7e09a4ac12f84c8ed8855998410e96dd44e1b64ef951a80
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\javaws.exe
executable
MD5: 64c6a42537267f07fc6d63686e68330f
SHA256: 3514c54f5d552b2cb64b9e2f8d8c5f65807e1d49fe82689a16f6a3e7521fb437
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
executable
MD5: 28d020770921def13b9a8755feadf8e9
SHA256: 379a14d561afeb364f8902c0b5193da229882c6273f2793339e1ad682af516f4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack.dll
executable
MD5: acb818dfec1b72a8c75ee82ff4d8108f
SHA256: 2864b031237c6a68eedab256732e43558b5741ae4f68a07a068438469ad907d9
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jawt.dll
executable
MD5: 725967c67304ef1a35a3651e1b6b80c2
SHA256: b11633c87ac49873d1e8ef5bcf9335dbe0579f483b5c745c0034f79b3fd0ae8c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\hprof.dll
executable
MD5: 9449e99b7e7c8a9ed74ac6b8e1ab0eb9
SHA256: cc82beaa275f4ed4c33b694154bebc5fd097ada50072201d250aed3f269a41b6
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcr120.dll
executable
MD5: 034ccadc1c073e4216e9466b720f9849
SHA256: 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\verify.dll
executable
MD5: d8d5c97ebfa71c08fcb7e1a9edc63115
SHA256: 266d7992f7518b7cda33ba5251b0636b00ee13e6b17021311dcc1ba4dd2fc705
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
executable
MD5: 9e242d7c5bf0756dd450139feaf8d67e
SHA256: 8019cd10ef1a1ddae179364934d1a0304cfcfc67be2dd7bca4ee8def93a89ef4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\glass.dll
executable
MD5: be9d67dffcc06d2073831f5d8cde2dc0
SHA256: a92df0e1f93e29fae427da766d9b91bda4b421e6ab86aeb9cdd060b218028d35
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\nio.dll
executable
MD5: ea6a4745bb7c9085f069fd7b52696972
SHA256: fb537564d240ac9b730941b5c0966209a5857e4d3ec0582ba0443fe391c74294
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
executable
MD5: e0ab625ec3351a8ad7af34850e8c803c
SHA256: 161f737f9c90e67f0fb80e7cd9d6823f83bdd1d971108faa99c6088c278a4f2a
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jdwp.dll
executable
MD5: 76cbdc3dbba3ae344a9a15839338af79
SHA256: f9a0e87300c8d094bb45834dd128e70a49d6d5d2cef20133411a769c01195c04
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fxplugins.dll
executable
MD5: 06fdbc35b3b4a9a36a8688030d387f56
SHA256: 1c78673777d1d48bf9e1e247bc64231817dccec4b08cc5e8c7a7fc5ae1f32501
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\net.dll
executable
MD5: a91c9d88f705eac6934ce89e6c4ff63d
SHA256: 6d9bd64084180b7f1b7aa4902372879dc0400905856ac0c229ad33218f3257f1
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\unpack200.exe
executable
MD5: 79c7da7fa237cbad387e8592524907dc
SHA256: a6316854fe790d22e6264ee3abc3be49686e6e36299c9718be9a20bb3e9fb185
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfr.dll
executable
MD5: 2204f11a218cb8675e2c20d5f601f3df
SHA256: 28da2d3e61a12408b8d9f86398f9c78f551e48404bd2c7bdccd8cbd74ed5e5a3
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\fontmanager.dll
executable
MD5: 412b97d96ea9384c78851938921ee44a
SHA256: 20bef5bcd523cff21bad585af91d1c913d5535a6b20ac70f5f3d8dafb2f90f25
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\msvcp120.dll
executable
MD5: fd5cabbe52272bd76007b68186ebaf00
SHA256: 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
executable
MD5: 788289c1ede7337f6555cefeb9b69868
SHA256: 699e5ff6df1060df61a32e99c8fc52837f40f774bfa88136af10036f4dd4a578
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jfxmedia.dll
executable
MD5: 724fc3a925b2f3a30f1df2926f85f5d1
SHA256: e62ec519aff414c1a81aeeb4cbf6de348b3b52ae527f14cedd42449e61fb1548
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\eula.dll
executable
MD5: 6f1188df337e62427791c77ea36e6eef
SHA256: dec4f2f32edc45f70e7119c9e52c4cef44bb9aa627dbec1ee70f61d37468556b
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\mlib_image.dll
executable
MD5: 99e9b09d5863b32047c8727e6303d151
SHA256: bb13a4ea915965aca971da50d9b90cbc0a32c99900eb585c6e9e12232b448fef
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\zip.dll
executable
MD5: 7a1f4ed63a22d079f9739c1cf5c9b253
SHA256: 9a7251883229ccc36859b02894b541a369c2426a9b5cbdc7e8a10db36f13451e
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jjs.exe
executable
MD5: 0bece1b836681a18ff7477adae7cd970
SHA256: c4916ed2eefc2ae2394625691f5550142eda6cb33e5e713d1e203b76b2141509
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\deploy.dll
executable
MD5: 720edc1469525dfcd3ae211e653d0241
SHA256: bff79fb05667992cc2bda9bae6e5a301baf553042f952203641ccd7e1fc4552d
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\management.dll
executable
MD5: ee87a0c0cb4291612dd37cbcee6ddf72
SHA256: 035121aee1e7f257c582837e1a0bd2e240bc1d1a791354a803e5fa165be22d87
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\wsdetect.dll
executable
MD5: 9d4fc6d63df062b08882274b977edbb9
SHA256: a78345586e443e0adc6554951946ad874f61ba2ff724fa8121df546a4b21df4a
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jli.dll
executable
MD5: 22ab805e1f217ea0033f82437d2fc5db
SHA256: 45c6aa5006ebaf8ab63f26134f2753bf4f20497942de58bc734e437e2d0f32f6
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\decora_sse.dll
executable
MD5: 94434b8739cb5cd184c63cec209f06e2
SHA256: adf4e9ce0866ff16a16f626cfc62355fb81212b1e7c95dd908e3644f88b77e91
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\lcms.dll
executable
MD5: 18d1893297df724dc8950691a6f0dc39
SHA256: e179ace7a6d6cffeb7540d67ef56d86a96cd16c421154b0a8b499722a4e957d9
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\jvm.dll
executable
MD5: 926824b862bbfe15455842d9d4900783
SHA256: 156afc715e865695ddf69d4a7db5fea2023b39748febfd86add15e9498c26639
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2native.dll
executable
MD5: f39560555d06cbc2c88f94e9c96f21ee
SHA256: f5faf9f49ca7f199f572e4227896ae839596cc9f6039875f3fa3a0eaddc40084
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_socket.dll
executable
MD5: 138f156057245747692a68ebe50d52c2
SHA256: f0fd0268d6e410c05e7ee71ad9c96744cd5e4a97329f608041d7078faee24ed0
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\ktab.exe
executable
MD5: 60ef921f2d321b36468fafb6acda65b3
SHA256: e89fe9520bcedbba20b5773598fb15e90dc828be7691adaa9d887ca585046aad
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
executable
MD5: cbaba29ce7925baa5b0c45dc78c1a275
SHA256: adaaa9037be30c708865a6627df9c0e43acf93d100469e5fdf83f632d2fe1829
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2launcher.exe
executable
MD5: f35d9cba3fe90871eb523aad831f11b0
SHA256: d8e40564694d5a2fdd85ab5345d8589e637e387d59160a74737832670da01597
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dt_shmem.dll
executable
MD5: 0744e6a5145aa945d89a16eac835fab2
SHA256: c417390f681276ec0d55d81a91b87eae75ca245045f5c23e9b43550b708fb1a6
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2iexp.dll
executable
MD5: 9e95023ed505c988ba4e94741383d428
SHA256: 5cd202cd92f33cbad11898331dec0791bf0bccf8ddf22849942debde007c3317
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
executable
MD5: d73a1252502a5f6218c916219b52139d
SHA256: 62248d7ab742e200996bf87433b4e8478e4d8bcfbc0a2ee7cbe3a5a62f6268c3
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jp2ssv.dll
executable
MD5: d1d62dcb7536ae4c338a3364f5f6f3bd
SHA256: e5328bcaec7fdba85097c04d5f4f35f648753b3378fb1d9ee6ce6965b9562e90
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\awt.dll
executable
MD5: 775d4b37e0ddbfa0eb56db38126fb444
SHA256: e5d4fc7d47a38a389884af1ea5f06f7c61c5cde6afc154a23a3cb5a127da1e34
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsound.dll
executable
MD5: cfe7513e5805ec5664ead9f86bfe91f2
SHA256: 5303366d9447a7610bd971339f27333767d399fca0a3f01154b082d47bd0a46e
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
executable
MD5: bf38660a9125935658cfa3e53fdc7d65
SHA256: 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsdt.dll
executable
MD5: dbb92d51eb213d56c5d01052834e9183
SHA256: fe5d22121d6a683bb87b362da85cabf8aead1c171d347d0a16da64c74dd8a3bc
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\dcpr.dll
executable
MD5: 682cfd9431e5675900b04febe6cd4eb9
SHA256: 80111e1d706741f5ef7f661835c3aa46664666425aa1b5f93103410f2bee1213
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\klist.exe
executable
MD5: c8c94465a25d872da60b718d43af0504
SHA256: 298d8e2730a3dbe942ebe0379f7303bb2872fd7f05746851e47ed7588f541477
3752
javaw.exe
C:\Users\admin\AppData\Local\Temp\Windows3985067333209210860.dll
executable
MD5: 0b7b52302c8c5df59d960dd97e3abdaf
SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jsoundds.dll
executable
MD5: c96099a6d84497e6cb58e97c9d5b76c3
SHA256: b534c43f203c5502e43a5d0fdbfbd9422de342aade635009fab791eb82f3c020
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\bci.dll
executable
MD5: 6d8d8a26450ee4ba0be405629ea0a511
SHA256: 7945365a3cd40d043dae47849e6645675166920958300e64dea76a865bc479af
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\keytool.exe
executable
MD5: 4951bf5b5b159d2bc43c9b29a979c154
SHA256: 8c40c13f83ea7c95b441548a455b57edac019b1cbfd6c6a068ddad33a6476ff1
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\jpeg.dll
executable
MD5: ec93a126e1db9503fc1ff9b49856fa3c
SHA256: 8cf3344453c02bf21ff8c79a6189f25617ca38cee2632766d0aa4ee07277bc25
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kinit.exe
executable
MD5: 4afcab972e98ecbf855f915b2739f508
SHA256: 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\kcms.dll
executable
MD5: bdd2789a8fe04e4312ee317ceb4a4d88
SHA256: 0ecd837ae93404f0aacfa6efc20f3c3ce6d1ae683e60a1c8873f07bfc8f93dc4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\java.exe
executable
MD5: 04205791371060574d5c345f0bb57917
SHA256: df24b51772ff4959e9bbfe481f72f0e88ba6e7c031d60edb3b1a47c69f69a6d0
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\psfontj2d.properties
text
MD5: f8734590a1aec97f6b22f08d1ad1b4bb
SHA256: 7d51936fa3fd5812ae51f9f5657e0e70487dca810b985607b6c5d6603f5e6c98
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\psfont.properties.ja
text
MD5: 7c5514b805b4a954bc55d67b44330c69
SHA256: 0c790de696536165913685785ea8cbe1ac64acf09e2c8d92d802083a6da09393
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jsse.jar
java
MD5: 7a018cbe03f4eee70b040553efed42f4
SHA256: 150a521c8958ca278cfc9fcda5710b2cbed1f638fec363b90616f4d59da612d8
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr.jar
java
MD5: b2f30d9605b3cc49a278203061fc98ba
SHA256: da445853b3f321af974a7b386bb21590fa7b9cd3c58509d53d226df20f2961a2
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfxswt.jar
java
MD5: 37fa7eee101cf7bc16a85029f83e850a
SHA256: 14d02e34af7277679d75eb8cc1afcd47484f37f5c499124fa0389a39f42f5947
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management-agent.jar
java
MD5: b18518464264cebdd8799cbed35f3f7f
SHA256: 4d8c0e43762328ba0868d40e08dcc05f0f23a8caf51306fd636e6ea16b672d1c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jvm.hprof.txt
text
MD5: c677ff69e70dc36a67c72a3d7ef84d28
SHA256: b055bf25b07e5ac70e99b897fb8152f288769065b5b84387362bb9cc2e6c9d38
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\logging.properties
text
MD5: 809c50033f825eff7fc70419aaf30317
SHA256: ce1688fe641099954572ea856953035b5188e2ca228705001368250337b9b232
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jce.jar
compressed
MD5: a39f61d6ed2585519d7af1e2ea029f59
SHA256: 60724d9e372fbe42759349a06d3426380ca2b9162fa01eb2c3587a58a34ad7e0
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\javaws.jar
java
MD5: eb63ff55969f491a731a7e4f3a6ff846
SHA256: 32b13e1c8e4544101edbca9b4e1f2ecaa938d64fbf754cd8d883fd61160ddca4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fontconfig.bfc
image
MD5: e0e5428560288e685dbffc0d2776d4a6
SHA256: aae23acc42f217a63d675f930d077939765b97e9c528b5659842515ca975111f
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\fontconfig.properties.src
text
MD5: 1c2ffea868138a14fcf8ffcc375a0ab1
SHA256: 2f3067fb80574523307836e50990f575aa50aca3bc4fed9bcbdea291d36012a2
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\hijrah-config-umalqura.properties
text
MD5: 1eddfb1ee252055556f40cdc79632e98
SHA256: 69becfe0d45b62bbdbcf6fe111a8a3a041fb749b6cf38e8a2f670607e17c9ee2
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\javafx.properties
text
MD5: 107d23e6c7343c1f86cecf91bf42d552
SHA256: 31fc73f6ec0ecba0ad42cee311c44575b9f51f87974f7c00bf5bc90a8ae0970f
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\flavormap.properties
text
MD5: d8b47b11e300ef3e8be3e6e50ac6910b
SHA256: c2748e07b59398cc40cacccd47fc98a70c562f84067e9272383b45a8df72a692
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\deploy.jar
java
MD5: a278937078cdff06328ccf717bd1edf8
SHA256: 89a5321ec48030682c800c0eab5ae6c627aba1c44b3c4e7e00a792248904e672
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\currency.data
binary
MD5: f6258230b51220609a60aa6ba70d68f3
SHA256: 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\content-types.properties
text
MD5: f507712b379fdc5a8d539811faf51d02
SHA256: 46f47b3883c7244a819ae1161113fe9d2375f881b75c9b3012d7a6b3497e030a
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\charsets.jar
java
MD5: 12bd6dc91e67e16b0f259556bee7f1cc
SHA256: 87101f1d338940ded404e718791c0c930c3a382db3213076301a9f8c5cb04f45
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\classlist
text
MD5: 7fc71a62d85ccf12996680a4080aa44e
SHA256: 01fe24232d0dbefe339f88c44a3fd3d99ff0e17ae03926ccf90b835332f5f89c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\calendars.properties
text
MD5: 40a6f317d17705b4d0241f4ebb45962d
SHA256: d93fb6d3451d1b82256b0e31aae7850152fa5df76f116a9d669aa4ace6bb68b4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\accessibility.properties
text
MD5: 2ed483df31645d3d00c625c00c1e5a14
SHA256: 68ef2f3c6d7636e39c6626ed1bd700e3a6b796c25a9e5feca4533abfacd61cdf
2960
WScript.exe
C:\Users\admin\AppData\Roaming\UwwogLCzsN.vbs
text
MD5: 98f00b8887beb982534929376695d20e
SHA256: 7679e6eb17505c8c4315d5d5c43a20afd0069e3f0e922c37a3d783d06b7cb5e8
2168
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.ini
text
MD5: f70f579156c93b097e656caba577a5c9
SHA256: b926498a19ca95dc28964b7336e5847107dd3c0f52c85195c135d9dd6ca402d4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\Xusage.txt
text
MD5: b3174769a9e9e654812315468ae9c5fa
SHA256: 37cf4e6cdc4357cebb0ec8108d5cb0ad42611f675b926c819ae03b74ce990a08
2168
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\shortcuts.xml
text
MD5: ad21a64014891793dd9b21d835278f36
SHA256: c24699c9d00abdd510140fe1b2ace97bfc70d8b21bf3462ded85afc4f73fe52f
2168
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\stylers.xml
xml
MD5: 44982e1d48434c0ab3e8277e322dd1e4
SHA256: 3e661d3f1ff3977b022a0acc26b840b5e57d600bc03dcfc6befdb408c665904c
2168
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\langs.xml
xml
MD5: e792264bec29005b9044a435fba185ab
SHA256: 5298fd2f119c43d04f6cf831f379ec25b4156192278e40e458ec356f9b49d624
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\bin\client\classes.jsa
––
MD5:  ––
SHA256:  ––
2168
notepad++.exe
C:\Users\admin\AppData\Roaming\Notepad++\session.xml
text
MD5: 0dc3ad2c49769b4564d585c27cd4d8e8
SHA256: f2594ec413eeee855bf619bafa41455fc250618433a5f835879651a8cdfc7474
3076
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive8392861628791905762.vbs
text
MD5: a32c109297ed1ca155598cd295c26611
SHA256: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
3076
java.exe
C:\Users\admin\AppData\Local\Temp\Retrive6577381704930438124.vbs
––
MD5:  ––
SHA256:  ––
3752
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive7585012980263568154.vbs
––
MD5:  ––
SHA256:  ––
3752
javaw.exe
C:\Users\admin\AppData\Local\Temp\Retrive584406034362763191.vbs
text
MD5: 3bdfd33017806b85949b6faa7d4b98e4
SHA256: 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
3076
java.exe
C:\Users\admin\.oracle_jre_usage\82de497bd14093d8.timestamp
text
MD5: a42b861ccf032d426eaff8ef97c7a79c
SHA256: 7b7a2b711f315f2f2b9a0860a11e9faa04a39996fd35cab7e819273beadd11d3
3752
javaw.exe
C:\Users\admin\AppData\Local\Temp\_0.92356196755314895831177030028162598.class
java
MD5: 781fb531354d6f291f1ccab48da6d39f
SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
3816
java.exe
C:\Users\admin\fUTkALeaTxM\ID.txt
text
MD5: ec9706e92a65d239946648a255cf452f
SHA256: d7ff87b92e44c9ad213feb5cf2b3627417259d3fa97218ae3894490d1e224089
3752
javaw.exe
C:\Users\admin\.oracle_jre_usage\82de497bd14093d8.timestamp
text
MD5: ce0bd68bba84b861e0898202c11edb87
SHA256: 6d7b2bd20f3acc4e0e0ad726e52099eaaf05b13a19baaeff8dea20e74a276060
3344
javaw.exe
C:\Users\admin\jZOkYHeFpOU\USiOzNLmhfc.IkTbjA
java
MD5: cdee1e867980580a55bc34bc240fb12b
SHA256: 43778130f1a0df96af4cec920046ffc6cb65e0bfd6e76213e17d299b313dba35
3344
javaw.exe
C:\Users\admin\jZOkYHeFpOU\ID.txt
text
MD5: b69464ba9963508c12653627419c6ace
SHA256: 59725a77cd5c3b9b483be586551dbc781cb7857e368aa9c66bb47420ee1e5ca6
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\US_export_policy.jar
compressed
MD5: ee4ed9c75a1aaa04dfd192382c57900c
SHA256: 90012f900cf749a0e52a0775966ef575d390ad46388c49d512838983a554a870
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\local_policy.jar
compressed
MD5: 57aaaa3176dc28fc554ef0906d01041a
SHA256: b8becc3ef2e7ff7d2165dd1a4e13b9c59fd626f20a26af9a32277c1f4b5d5bc7
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\java.policy
text
MD5: 11340cd598a8517a0fd315a319716a08
SHA256: b8582889b0df36065093c642ed0f9fa2a94cc0dc6fde366980cfd818ec957250
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\java.security
text
MD5: 409c132fe4ea4abe9e5eb5a48a385b61
SHA256: 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\javaws.policy
text
MD5: 9107d028bd329dbfe4c1f19015ed6d80
SHA256: b7a87d1f3f4b7ba1d19d0460fa4b63bd1093afc514d67fe3c356247236326425
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\cacerts
jks
MD5: 0cbb829e01dff3e17f3e905b47a86036
SHA256: 9e9a07bd4ed7eb11f1f41e5a9cd92f6ab0ab6da1872c2561a67366fd4541831d
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\blacklisted.certs
text
MD5: b9c358f9d668e86fda8048982e741acc
SHA256: ddd297102146ac7f6607b35c0e0b565975739a7841da5e5a6207b6f4ebb2d822
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\security\blacklist
text
MD5: b2c6eae6382150192ea3912393747180
SHA256: 6c73c877b36d4abd086cb691959b180513ac5abc0c87fe9070d2d5426d3dbf71
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\snmp.acl.template
text
MD5: 71a7de7dbe2977f6ece75c904d430b62
SHA256: f1dc97da5a5d220ed5d5b71110ce8200b16cac50622b33790bb03e329c751ced
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\management.properties
text
MD5: 81a43119ab15099c1d70e2d683fc8c0a
SHA256: fcacfa57ce3fe6372c2273abc032a1320be021af42553e2104db9937b6771783
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.access
text
MD5: f63bea1f4a31317f6f061d83215594df
SHA256: 439158eb513525feda19e0e4153ccf36a08fe6a39c0c6ceeb9fcee86899dd33c
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\management\jmxremote.password.template
text
MD5: 7b46c291e7073c31d3ce0adae2f7554f
SHA256: 3d83e336c9a24d09a16063ea1355885e07f7a176a37543463596b5db8d82f8fa
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\default.jfc
xml
MD5: 41d5cd8db1f75101304308a9ee3612ff
SHA256: 0c8cd372c548e4ddcbb0fa8cd6fca09d65ec312d784f495be19baf1bf06c57f3
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\jfr\profile.jfc
xml
MD5: 8b5c309810d64a8c62e7cdc6436f97a9
SHA256: f70e4c858a96603de6c042ea796300c232953aab17579ff4e7a47fe9ffe17c26
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
image
MD5: cc8dd9ab7ddf6efa2f3b8bcfa31115c0
SHA256: 12cfce05229dba939ce13375d65ca7d303ce87851ae15539c02f11d1dc824338
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
image
MD5: 694a59efde0648f49fa448a46c4d8948
SHA256: 485cbe5c5144cfcd13cc6d701cdab96e4a6f8660cbc70a0a58f1b7916be64198
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
image
MD5: 89cdf623e11aaf0407328fd3ada32c07
SHA256: 13c783acd580df27207dabccb10b3f0c14674560a23943ac7233df7f72d4e49d
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\invalid32x32.gif
image
MD5: 1e9d8f133a442da6b0c74d49bc84a341
SHA256: 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\images\cursors\cursors.properties
text
MD5: 269d03935907969c3f11d43fef252ef1
SHA256: 7b8b63f78e2f732bd58bf8f16144c4802c513a52970c18dc0bdb789dd04078e4
3732
xcopy.exe
C:\Users\admin\AppData\Roaming\Oracle\lib\i386\jvm.cfg
text
MD5: 9aef14a90600cd453c4e472ba83c441f
SHA256: 9e86b24ff2b19d814bbaedd92df9f0e1ae86bf11a86a92989c9f91f959b736e1
3732
xcopy.exe