Sample details: a6ffcd7060ef8c35b69f9ba3931293c5 --

Hashes
MD5: a6ffcd7060ef8c35b69f9ba3931293c5
SHA1: 0f0bb8b65a1507781eb76abdd6bee3822b041faa
SHA256: c4071ac063992cdba0b29e2fc62c22d4623825e8227bfb5d4d513e67ef2b6f18
SSDEEP: 384:2qdckIyvEfWoidL39Ko5FZdgAkTiM79mgLu2e9czYxt+wtflOdvZBveHPHtV5kbv:xSkIZiJ973M7YuccK+wtfp6bhz2
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Basic_v50 | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsBeyondImageSize | YRP/FASM | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Browsers | YRP/Dropper_Strings | YRP/disable_antivirus | YRP/win_files_operation |
Parent Files
72d3f95e4295110ce341e289f3b8859d
Strings
		!This program cannot be run in DOS mode.
`.data
.idata
(3~U,gU
8}<3lI,\G
:y16k@2_B
n+pd(]U
&w}!bh
(9v56n@4fC0[C
d/w`,jZ*[Q
*~w)pl%`]
$u~"fl
b2e.exe
!This program cannot be run in DOS mode.
`.text
`.data
selfdel
rmdir 
batchfile.bat
memset
memcpy
remove
_mkdir
_chdir
_rmdir
malloc
CRTDLL.dll
GetModuleHandleA
HeapCreate
lstrlenA
GetModuleFileNameA
GetTempPathA
GetTempFileNameA
CreateFileA
GetFileSize
ReadFile
CloseHandle
WriteFile
HeapDestroy
ExitProcess
GetExitCodeProcess
KERNEL32.dll
strncpy
strlen
InitializeCriticalSection
GetCommandLineA
HeapAlloc
HeapFree
HeapReAlloc
ShellExecuteExA
ShellExecuteA
SHELL32.dll
PathQuoteSpacesA
PathAddBackslashA
PathRemoveBlanksA
PathFileExistsA
PathRemoveFileSpecA
SHLWAPI.dll
batchfile.bat                                                                                       
@echo off
 priv.ser, priv.ser
echo. & echo.
echo ---------
echo. & echo.
    rem -----------------RD 
      rem 
      dir /w "%systemroot%\system32\rdviewer50u.ocx" > nul
      if not %ERRORLEVEL% == 0  goto loop1
      regsvr32/u/s  rdviewer50u.ocx
      :loop1
      del /q "C:\windows\Downloaded Program Files\rdviewer*"
      del /q "C:\windows\system32\rdagentx50u*"
    rem -----------------java plugin
      rem  
 http://kryanpw0001.cuckoo.domain/Windchill/netmarkets/jsp/document/doc_multi_create.jsp?oid=project~wt.projmgmt.admin.Project2%3A12771574&context=folder%24list%24project~wt.projmgmt.admin.Project2%3A12771574%24project~wt.projmgmt.admin.Project2%3A12771574!*&portlet=poppedup
      rem java 
          md    "%APPDATA%\Sun\Java\Deployment\security"
          md    "%APPDATA%\..\locallow\.wt"
          md    "%APPDATA%\..\.wt"
          xcopy /y trusted.certs "%APPDATA%\Sun\Java\Deployment\security"
          xcopy /y priv.ser      "%APPDATA%\..\locallow\.wt"
          xcopy /y priv.ser      "%APPDATA%\..\.wt"
      rem 1.7.0.17, 1.7.0.55 
      rem    
 java 
      rem    
 on, java 
      rem Java
-Java Plug-in-
 Java Plug-in
"   (PLM 
, disable next-generation Java Plug-in)
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.4.2.06" /v "UseNewJavaPlugin"      /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_20" /v "UseNewJavaPlugin"      /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_30" /v "UseNewJavaPlugin"      /t REG_DWORD /d 0 /f
      rem java 1.7.x.xx
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.17.2"  /v "UseNewJavaPlugin"      /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.55.2"  /v "UseNewJavaPlugin"      /t REG_DWORD /d 1 /f
      rem     64
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\1.6.0_30" /v "UseNewJavaPlugin"      /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy"    /v "EnableAutoUpdateCheck" /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy"    /v "EnableJavaUpdate"      /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\1.6.0_30" /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\1.6.0_30" /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.17.2"  /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\10.55.2"  /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      echo. & echo.
      rem java 1.7.x.xx 
      rem    
 C:\Documents and Settings\print\Application Data\Sun\Java\Deployment\deployment.properties 
      rem    
   deployment.security.level=MEDIUM
      rem    type     "%userprofile%\Application Data\Sun\Java\Deployment\deployment.properties"
      echo deployment.security.level=MEDIUM>> "%userprofile%\Application Data\Sun\Java\Deployment\deployment.properties"
      rem java 1.7.x.xx 
 java 
 off, 
      echo deployment.webjava.enabled=true>> "%userprofile%\Application Data\Sun\Java\Deployment\deployment.properties"
      rem java 1.7.x.xx 
 "frm-92095 oracle jinitiator 
." (jre1.7 
      rem    java 
 : -Djava.vendor="Sun Microsystems Inc."
      rem    
 C:\Documents and Settings\print\Application Data\Sun\Java\Deployment\deployment.properties 
      rem    
   deployment.javaws.jre.0.args=-Djava.vendor\="Sun Microsystems Inc."
      rem    type "%userprofile%\Application Data\Sun\Java\Deployment\deployment.properties"
      echo deployment.javaws.jre.0.args=-Djava.vendor\="Sun Microsystems Inc." >> "%userprofile%\Application Data\Sun\Java\Deployment\deployment.properties"
      rem Java
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_30" /v "JavaHome"    /t REG_SZ  /d "C:\Program Files\Java\jre6" /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_30" /v "RuntimeLib"  /t REG_SZ  /d "C:\Program Files\Java\jre6\bin\client\jvm.dll" /f
      rem java 
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy"    /v "EnableAutoUpdateCheck" /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy"    /v "EnableJavaUpdate"      /t REG_DWORD /d 1 /f
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"      /v "SunJavaUpdateSched"    /f
      rem 
-java(sun) "<applet>
 JRE 1.6.0.07
  (SameTime 
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.4.2_06" /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07" /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_20" /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_30" /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.17.2"  /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.55.2"  /v "UseJava2IExplorer"     /t REG_DWORD /d 0 /f
      rem java 
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.4.2_06" /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07" /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_20" /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_30" /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.17.2"  /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.55.2"  /v "HideSystemTrayIcon"    /t REG_DWORD /d 1 /f
      echo. & echo.
    rem -----------------iexplore.exe
    rem 
        rem 
 http://valley.egloos.com/viewer/?url=http://doodoodoo.egloos.com/807735
        rem Zones 
(0-4) 
        rem     0 
        rem     1 
        rem     2 
        rem     3 
        rem     4 
        rem 
        rem     0 
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cuckoo.co.kr"  /v "http" /t REG_DWORD /d 2 /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cuckoo.domain" /v "http" /t REG_DWORD /d 2 /f
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1809       /t REG_DWORD /d 3  /f
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 2301       /t REG_DWORD /d 0  /f
        rem ----
        rem           
 sign 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 2101       /t REG_DWORD /d 0  /f
        rem ----XSS 
 oracle ERP 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1409       /t REG_DWORD /d 3 /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"  /v 1409       /t REG_DWORD /d 3 /f
        rem ----ActiveX 
 ActiveX 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1001       /t REG_DWORD /d 0  /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"  /v 1001       /t REG_DWORD /d 1  /f
        rem ----ActiveX 
 ActiveX 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1004       /t REG_DWORD /d 1  /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"  /v 1004       /t REG_DWORD /d 1  /f
        rem ----ActiveX 
 ActiveX 
        rem     ERP or PLM java 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1201       /t REG_DWORD /d 0  /f
        rem ----ActiveX 
 ActiveX 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1405       /t REG_DWORD /d 0  /f
        rem ----ActiveX 
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1209       /t REG_DWORD /d 0  /f
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1605       /t REG_DWORD /d 0  /f
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 1803       /t REG_DWORD /d 0 /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"  /v 1803       /t REG_DWORD /d 0 /f
        rem ----
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2"  /v 2200       /t REG_DWORD /d 0 /f
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3"  /v 2200       /t REG_DWORD /d 0 /f
    rem ie7 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing"       /v "OpenAdjacent"       /t REG_DWORD  /d 1  /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing"       /v "OpenInForeground"   /t REG_DWORD  /d 1  /f
    rem 
 off (
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing"       /v "PopupsUseNewWindow" /t REG_DWORD  /d 1  /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing"       /v "ShortcutBehavior"   /t REG_DWORD  /d 1  /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows"          /v "PopupMgr"           /t REG_DWORD  /d 0  /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows\Allow"    /v "*.cuckoo.co.kr"     /t REG_BINARY /d 00 /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites"      /v "Enabled"            /t REG_DWORD  /d 0  /f
    rem 
 0 (ie7-
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter"       /v "Enabled"            /t REG_DWORD  /d 0  /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter"       /v "ShownVerifyBalloon" /t REG_DWORD  /d 3  /f
    rem 
 utf-8 
 (PLM BOM
)  (0 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v UrlEncoding /t reg_dword /d 0 /f
    rem 
 HTTP 1.1 
 HTTP 1.1 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"          /v "ProxyHttp1.1"          /t REG_DWORD /d 0 /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v SyncMode5 /t REG_DWORD /d 3 /f
    rem 
    REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Window_Placement" /f
    rem 
 Start Page
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://silkroad.cuckoo.co.kr" /f
    rem 
 naver
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"  /v "DefaultScope"                /t REG_SZ    /d "{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"  /v "DisplayQuickPick"            /t REG_DWORD /d 1 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"  /v "DownloadRetries"             /t REG_DWORD /d o /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes"  /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d 1 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /v "DisplayName"           /t REG_SZ     /d "Naver" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /v "URL"                   /t REG_SZ     /d "http://search.naver.com/search.naver?where=nexearch&sm=osd&query={searchTerms}" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /v "FaviconURL"            /t REG_SZ     /d "http://www.naver.com/favicon.ico" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /v "SuggestionsURL_JSON"   /t REG_SZ     /d "http://ac.search.naver.com/autocompl?m=s&q={searchTerms}&oe={outputEncoding}" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0EB91D06-CCAB-4326-B40B-CC9EA44F8499}" /v "ShowSearchSuggestions" /t REG_DWORD  /d 1 /f
    rem ie7 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG" /v "iexplore.exe" /t REG_DWORD /d 0 /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache"    /v Persistent /t REG_DWORD /d 0 /f
    rem 
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main"                           /v IEWatsonEnabled /t REG_DWORD /d 0 /f
    rem 
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"          /v DontUseDNSLoadBalancing /t reg_binary /d 01000000 /f
    rem 
    REG DELETE "HKLM\SOFTWARE\COVISION"  /f
    REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\COVISION" /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "SmoothScroll"                       /t REG_DWORD  /d 0   /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "Friendly http errors"               /t REG_SZ     /d yes /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "NotifyDownloadComplete"             /t REG_SZ     /d yes /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "Error Dlg Displayed On Every Error" /t REG_SZ     /d no  /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "AllowWindowReuse"                   /t REG_DWORD  /d 1   /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "NscSingleExpand"                    /t REG_DWORD  /d 0   /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "EnableSearchPane"                   /t REG_DWORD  /d 0   /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "AutoSearch"                         /t REG_DWORD  /d 4   /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main"                            /v "FullScreen"                         /t REG_SZ     /d no  /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download"                        /v "RunInvalidSignatures"  /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IETld"                           /v "StaleIETldCache"       /t REG_DWORD /d 0 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International"                   /v "CNum_CpCache"          /t REG_DWORD /d 1 /f
    rem reg add 
 hex:01,00,00,00 
 reg_binary 
. reg_binary /d 01000000 /f
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International"                   /v "CpCache"               /t REG_BINARY /d e9fd0000 /f
    rem -----------------net use 
      net use /d n:
      net use /d p:
      net use /d \\172.10.0.2000\d$
      net use /d \\172.10.0.2000\driver
      net use /d \\172.10.0.2000\setup
      net use /d \\172.10.0.2000\scan
      net use /d \\172.20.2.200\TEMP
      net use /d "\\172.20.2.200\
      net use /d \\210.105.131.219\erpshare
      net use /d \\210.105.131.219\
      echo. & echo.
    rem ------------ip.bat 
      echo @echo off                                                                       > "%systemroot%\ip.bat"
      echo rem ------ipconfig                                                             >> "%systemroot%\ip.bat"
      echo ipconfig /all                                                                  >> "%systemroot%\ip.bat"
      echo ping 164.124.101.2 -n 2                                                        >> "%systemroot%\ip.bat"
      echo pause                                                                          >> "%systemroot%\ip.bat"
      echo :end                                                                           >> "%systemroot%\ip.bat"
    rem ------------ipp.bat 
      echo @echo off                                                                       > "%systemroot%\ipp.bat"
      echo rem ------ipconfig                                                             >> "%systemroot%\ipp.bat"
      echo ipconfig /all                                                                  >> "%systemroot%\ipp.bat"
      echo ping 164.124.101.2 -n 300                                                      >> "%systemroot%\ipp.bat"
      echo :end                                                                           >> "%systemroot%\ipp.bat"
    rem -----------------QuickDownload 
      taskkill /f /im "qdownagent.exe"
      taskkill /f /im "qdownagent.exe"
      taskkill /f /im "qdownload_setup.exe"
      taskkill /f /im "qdownload_setup.msi"
      taskkill /f /im "qdownservice.exe"
      taskkill /f /im "qdownupdate.exe"
      taskkill /f /im "ExpressService.exe"
      net stop "QuickDownload Agent"
      net stop "QuickDownload Service"
      net stop "QuickDownload Update"
      net stop "ExpressService"
      net stop "FIDownService"
      sc delete "QuickDownload Update"
      sc delete "QuickDownload Service"
      sc delete "QuickDownload Agent"
      sc delete "ExpressService"
      sc delete "FIDownService"
      rmdir /s /q "c:\Program Files\QuickDownloadService"
      rmdir /s /q "c:\Program Files\kdisk.co.kr"
      rmdir /s /q "C:\Program Files\ZioFile"
    rem -----------------snapshot 
      reg delete "HKCU\Software\SnapShot" /f
    rem -----------------
      del /q "C:\def.exe"
      del /q "C:\as400.exe"
      del /q "C:\vrchk.exe"
      del /q "C:\_Config*.exe"
      del /q "%systemroot%\pp1.bat"
    rem -----------------iexplore.exe 
      taskkill /f /im "iexplore.exe"
      start "silkroad" /b "http://silkroad.cuckoo.co.kr"
priv.ser                                                                                            
java.util.Hashtable
loadFactorI
	thresholdxp?@
java.net.URL
hashCodeI
	authorityt
Ljava/lang/String;L
protocolq
kryanpw0001.cuckoo.domaint
#/Windchill/wt/security/security.jarq
httppxsr
wt.security.Privileges
capabilitiest
Ljava/util/Hashtable;L
nicknameq
securityContextt
Ljava/lang/Object;xpsq
java.lang.Boolean
valuexp
Chttp://kryanpw0001.cuckoo.domain/Windchill/wt/security/security.jarq
trusted.certs                                                                                       
%deploymentusercert7441557316608569474
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
060810000000Z
090928235959Z0
	Minnesota1
Arden Hills1*0(
!Parametric Technology Corporation1503
,Digital ID Class 3 - Netscape Object Signing1
Windchill Technology1*0(
!Parametric Technology Corporation0
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
==d6|h
-deploymentusercert$tsflag-4581865362322778473
Thawte, Inc.1$0"
Thawte Code Signing CA - G20
110325000000Z
120523235959Z0U1
Seoul1
Guro-gu1
GSNeotek1
GSNeotek0
*http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
http://ocsp.thawte.com0
&deploymentusercert-5574634470119209825
VeriSign, Inc.1
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)011.0,
%VeriSign Class 3 Code Signing 2001 CA0
030911000000Z
040926235959Z0
Santa Clara1
Sun Microsystems, Inc1503
,Digital ID Class 3 - Netscape Object Signing1503
,Digital ID Class 3 - Netscape Object Signing1
Sun Microsystems, Inc0
1http://crl.verisign.com/Class3CodeSigning2001.crl0D
https://www.verisign.com/rpa0
https://ocsp.verisign.com0
,deploymentusercert$tsflag3260474893349970846
erpdev1
CRP2_erpdev0 
100602044306Z
20500523044306Z0C1
erpdev1
CRP2_erpdev0
Q&iE]@"Q
A9K7DMz
KERNEL32.DLL
crtdll.dll
shell32.dll
shlwapi.dll
user32.dll
CloseHandle
CreateFileA
DeleteFileA
ExitProcess
WriteFile
GetCommandLineA
lstrcatA
GetTempFileNameA
GetTempPathA
PathQuoteSpacesA
PathAddBackslashA
wsprintfA
_mkdir
_getcwd
ShellExecuteA