688a691d688d832a5bf42548ad4491b3.jar

1. https://virustotal.com/en/file/c4162014a222865c4794172c227c7eb336e3a1d580ecd9d6ad864f7d3a3d3549/analysis/
2.  
3. Malware:
4.  
5. Backdoor.Adwind.MVX
6. Application Type: Java JDK JRE 8.0
7. File Type: jar
8. Yara rule:
9.  
10. FE_Jar_Backdoor_4
11.  
12.  
13. Malicious Behavior Observed
14.  
15. VM Capture:(s) [1] pcap 8934 bytes (text)
16. [2] pcap 3612 bytes (text)
17. Raw Alert: Download (xml)
18. MD5: 688a691d688d832a5bf42548ad4491b3
19. Analysis OS(es): Microsoft Windows7 64-bit 6.1 sp1 16.1115
20. Microsoft WindowsXP 32-bit 5.1 sp3 16.1115
21. Archived Object: 688a691d688d832a5bf42548ad4491b3.zip
22. Bot Communication Details:
23. Server DNS Name: dam5i6.linkpc.net Service Port: 53 Signature Name: Malware.Binary.jar
24. Raw Command
25. \026\003\003\000\351\001\000\000\345\003\003X\276\345\223*]\336`z\245\254\223::\005\362::\364Q\314\2
26. 27\345\256\374\322\277\370h\300\265\300c\266\000\000F\300#\300'\000<\300%\300)\000g\000@\300\011\
27. 300\023\000/\300\004\300\016\0003\0002\300\007\300\021\000\005\300\002\300\014\300+\300/\000\234\
28. 300-\3001\000\236\000\242\300\010\300\022\000
29. \300\003\300::\000\026\000\023\000\004\000\377\001\000\000v\000
30. \0004\0002\000\027\000\001\000\003\000\023\000\025\000\006\000\007\000\011\000
31. \000\030\000\013\000\014\000\031\000::\000\016\000\017\000\020\000\021\000\002\000\022\000\004\000\0
32. 05\000\024\000\010\000\026\000\013\000\002\001\000\000::\000\032\000\030\006\003\006\001\005\003\
33. 005\001\004\003\004\001\003\003\003\001\002\003\002\001\002\002\001\001\000\000\000\026\000\024\0
34. 00\000\021dam5i6.linkpc.net\026\003\003\001\006\020\000\001\002\001\000-\010\234
35. \246PS\337\374L\303t\303\237k\202^!\2019!$\201\267\335\367~\011?\362(\001f\315P\350\300J\336::T\202\
36. 275\3334\024\007\034\2311-\347y\256\240\301wq\007\263t\210=\014\264<b\227\\\377\332&\243{\022\235
37. \024d\274\303\001\362\314\375&\2436\312\351`\0264\317tx\247\220\355"\271\216\204\225[\035\320\036
38. \350\2424gr\004\227&E\0071\355\255\\\035h\365\323\335
39. \220\224\025\214\240\025RB::\235i\236\303\351\374\002\003\200\221=z\025\034\372\246\312\312\230g\234
40. \241p\331E\305\371\367L\203\230GW\247>\036\357iB\342\005\357\271\333\333\337H\271\221\273\\\204\3
41. 33.5
42. \0344\024\331\242\336\246\316`\233^e\371u\272,b\215e>\347\301+\205\260\320\377Y\276\006aC\333\234\03
43. 7\236\272\206\354\275\301\014\310#\264\355\363zU\323\223\035\305\033\276\233\204s=R'\355\004\257\
44. 024\003\003\000\001\001\026\003\003\000P\261S\003\263\312N8\363\221\033\030\332\332\321\230\336\3
45. 02$\202b\026\356bb::\345\023\277M*\335p|\252\247=\250\374\021\362\253I\372\276 f\350\260od\3129S[
46. \311\030\226\270\000\357\017&\307\317\0350\236(&|Z2\330\271q\270?.3+\027\003\003\000@?\003g\221\3
47. 24\264bA\236\205\260 \341-\002\261@p\271\020\315A\376\224\001\243\242\346#\221\0113%\367\273G}+\3
48. 269;\374\361\330
49. R
50. \026\003\001\000\257\001\000\000\253\003\001X\276\345\246.\325\307\266\022[&\220\377\371\325\231\000
51. \000\244K@61\255\356\345\346]\022\3045s\000\000*\300\011\300\023\000/\300\004\300\016\0003\0002\3
52. 00\007\300\021\000\005\300\002\300\014\300\010\300\022\000
53. \300\003\300::\000\026\000\023\000\004\000\377\001\000\000X\000
54. \0004\0002\000\027\000\001\000\003\000\023\000\025\000\006\000\007\000\011\000
55. \000\030\000\013\000\014\000\031\000::\000\016\000\017\000\020\000\021\000\002\000\022\000\004\000\0
56. 05\000\024\000\010\000\026\000\013\000\002\001\000\000\000\000\026\000\024\000\000\021dam5i6.link
57. pc.net\026\003\001\001\006\020\000\001\002\001\000\210Ly\000\271\361g{P\011\013S\221\364/\263\211
58. \261W\005\330\310\317\351\341\231\213)\2721\232\274\316\21263>\2564\372\024\037\310\213\324\256r\
59. 341\315\320q8\207.\250\033\313x&\272DJ\017\333\016\027\203\007 $:\022\3371]7\207\241\355:S\262i\1
60. 77\004\006\231r\365k\272\000g\256\236\326\025fg\223\367p7x\011'\371F\013\344V\321\327$~U\\\263\\\
61. 210\270\177\303D%\212z\310W\270\304\213\233Z\030\023y\010\275\300!\270\033;\320C\332S\2615\342\02
62. 6\245\036\266o\364\374y#o\030}\373\307\2523m\350\257\264\205\320\362\366::\207\246\216p!\351#u\34
63. 3\276U\362\265\275+::"k\014\312\230\377\3416\025\277b\217\374\375=\240\231\307\271\372\233\32745\
64. 320\241k\230VZ\3347\303\000\020\222 \217&\273\343<\332g\271\366\255\026.\207\344@2\331NN\367(\326
65. \253\353<\031%\024\003\001\000\001\001\026\003\001\0000\247\210\357\265\273\271\305|T\245Q`\320\2
66. 13~\271MU\314/\224v\257\036\324\212R\303IM&-\224\230\264V\346\321e
67. ::z\023a\314%Q\342\027\003\001\000 C\033\3245\225\371\302\212\226\202E\177\262\201\272\303\177\312\3
68. 24\303=\204\253H\033\214\357RP\006\374Q\254\355\000\005
69. OS Change Detail (version: 1.2727) | Items: 1006 | OS Info: Microsoft WindowsXP 32-bit 5.1 sp3 16.1115 Top
70. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
71. Analysis
72. Malware
73.  
74.  
75. Application
76.  
77.  
78. Os
79.  
80. Name: windows Version: 5.1.2600 Service Pack: 3 Arch: x86
81.  
82. Os Monitor
83.  
84. Version: 16R1 Build: 582114 Date: Nov 15 2016 Time: 17:25:53
85.  
86. Config Update
87.  
88.  
89. Uac
90. Service
91.  
92. Windows Image Acquisition (WIA)
93.  
94. Uac
95. Service
96.  
97. Telephony
98.  
99. Uac
100. Service
101.  
102. Remote Access Connection Manager
103.  
104. Javacall
105.  
106. Method: getResourceAsStream
107. Params: [/9be9f6isq9t1ad9opto80bh18kguqcb3u79uh0bed3taircu.
108. gif]
109. Imagepath: c:\windows\system32\java.exe
110. 3760
111. Javacall
112.  
113. Method: openStream Imagepath: c:\windows\system32\java.exe
114. 3760
115. Javacall
116.  
117. Method: getResourceAsStream
118. Params: [/-65j7mj692komlevnjqk1c8dgs6e1t15rkspltlvgfqoefksk
119. gkpvi21ig6gj3g1f.gif]
120. Imagepath: c:\windows\system32\java.exe
121. 3760
122. Javacall
123.  
124. Method: getResourceAsStream
125. Params: [/-no6q083avlup4e1rhms2gn5j13r5v5kgiov1kb9st5llm570
126. 5moa8hils5ajtq5m30vmn99g0m1.gif]
127. Imagepath: c:\windows\system32\java.exe
128. 3760
129. Javacall
130.  
131. Method: getResourceAsStream
132. Params: [/-pv968smfdgk2svleupgjshksp1e3bto6v7a6gdp1qfhalill
133. cv6btdkp0hn.gif]
134. Imagepath: c:\windows\system32\java.exe
135. 3760
136. Javacall
137.  
138. Method: getResourceAsStream
139. Params: [/-erike4uakjoskm2ik5kd195vnv4cl4n5ln2l5er0ip83atvo
140. .gif]
141. Imagepath: c:\windows\system32\java.exe
142. 3760
143. Javacall
144.  
145. Method: CONSTRUCTOR
146. Params: [/C:/Documents and Settings/admin/Local Settings/Te
147. mp/PI - Revised.jar]
148. Imagepath: c:\windows\system32\java.exe
149. 3760
150. Javacall
151.  
152. Method: CONSTRUCTOR
153. Params: [C:\Documents and Settings\admin\Local Settings\Tem
154. p\PI - Revised.jar]
155. Imagepath: c:\windows\system32\java.exe
156. 3760
157. Javacall
158.  
159. Method: CONSTRUCTOR
160. Params: [q-2966008960316637591, null, -1, C:\Documents and Settings\admin\Local Settings\Tem
161. p\PI - Revised.jar/, 0x02E0D4EC]
162. Imagepath: c:\windows\system32\java.exe
163. 3760
164. Javacall
165.  
166. Method: getResourceAsStream
167. Params: [/-1edd1f6pvtj2g12ld1loquqldvn5jcdpdkrtvhd.gif]
168. Imagepath: c:\windows\system32\java.exe
169. 3760
170. Javacall
171.  
172. Method: getResourceAsStream
173. Params: [/26ebpurt88hi7a3mbft1mu0hn8arkqrofcfied28odt123rol
174. jk1rl8g2f9gnpieiqeuekkl31elvcgvpe01vqk6emqr208h
175. phf0temciqe8bs7ptm2mhr1sc291j7i6dcckk9ab7j9dvs1
176. cnqte1t6u6f2pahau6be6ej11mo6ehu0l0dn7j7c4rub0tg
177. ubij48rsebmodn8oslbstcgak6r18mdq0ivjb37fi81ibu3
178. tknt3im78f4f2fovf]
179. Imagepath: c:\windows\system32\java.exe
180. 3760
181. Javacall
182.  
183. Method: getResourceAsStream
184. Params: [/4ftv33g9veq2otoiaa3b264ntbekvsh72eelpk2fi0a23fep4
185. 9dacjgblm6q7003ctse5l4udtlpnngpsn82255mfa8os4ju
186. clpce5tgir3k8fsd0mg2qladuk3d216hoq6ittu1f7odp7j
187. rqfqd7sggsmfmld121p94pd0a73ai1i6bd3flbe75i0m912
188. ci407oqt0jdch8187gl835h9m151ljaejhmd18j0op1nk2b
189. 6lv1r288vfa8dektp]
190. Imagepath: c:\windows\system32\java.exe
191. 3760
192. Javacall
193.  
194. Method: getResourceAsStream
195. Params: [/752nkbh63s35v4trc18v9dt4k1psgfcmv365p9t5a9bvqlhvo
196. t1p3rcasrhme9d25u4luoo5dg2g953hrqbd5pdr871ts0ip
197. ol7elu2utl9iacusj3uta5cqlmoh448vtnht3hshhnlondh
198. kkkkrknvvgik1aivj82n3ngeh83h0lsp6oicao43fbtl9sb
199. 6ged14dhkpbhktbie471e2enehcmebv4la6ljf6ui9rs7bj
200. 4c1sgob76genhsulm]
201. Imagepath: c:\windows\system32\java.exe
202. 3760
203. Javacall
204.  
205. Method: getResourceAsStream
206. Params: [/7dl3ptd7tbkjv345ue8d846kefo8o7u2vnqd5vcha55gbql2d
207. eldt5qp34amjico2u0b36pd4abg64ucs9ukggsr5v50mch2
208. krv8vt9hv4c1d0uhjbg8a9nu62s9fog77epkr0ovep4979s
209. 9lqhh64vrje1dq0us7mto3kl6hr91rtlf4p68e246cg9rl2
210. 5v6091t7tmv63tg383phvrdjv6q391elv6pv7nhd7r00vs9
211. r4oc3h0br3t6v121h]
212. Imagepath: c:\windows\system32\java.exe
213. 3760
214. Javacall
215.  
216. Method: getResourceAsStream
217. Params: [/3tp64r798a114eqbig0cvkjuko4b7g7fp7acb5ntd9nqasalb
218. 3avo29prv12n5jek2lb0irs20lsarnvh9ks3bm0nqispo59
219. rinlb07ji6acculote2t2rf7r8iuvmbgffk1s8qjhrq8ad6
220. s9c15m0nba8v7ebfmc8nmdpbtv76ta48419hh40pokb2104
221. 3npelmrk23sb00lu74klm8mla8su9q4gro8h0fii7mb61m3
222. 8t347n61vd4d5ndii]
223. Imagepath: c:\windows\system32\java.exe
224. 3760
225. Javacall
226.  
227. Method: getResourceAsStream
228. Params: [/o/y/d/d/a/a.s]
229. Imagepath: c:\windows\system32\java.exe
230. 3760
231. Javacall
232.  
233. Method: getResourceAsStream
234. Params: [/d19nh5e75jl0c7kj1m95t81gu4ve0uh5e8d2ije1rn3qlv9ou
235. dgcth0280m0m6nb4lne91oujevrt6o7ohlpecnsjt7o5hqh
236. ls050sgja953jbp7i6qp1vurflqsrtjq04ac2scgnj8l8ka
237. q3u0thcgoc1aum269vet9cd8hl73p2gacflu4b5tk7ssve2
238. ouicie89qu2avim6ocejtvkh57e0tv1lhpj0n5r0bbgn451
239. b5deb4fd0oei47029]
240. Imagepath: c:\windows\system32\java.exe
241. 3760
242. Javacall
243.  
244. Method: getResourceAsStream
245. Params: [/5mr08jvrncdqd649s7l8kpjuh31dqcbkoifcf5s61tvrbqecv
246. fnbdhti5bjfjf5alaee5et4f3cfggirc3qt1niuq0f3fit1
247. c21h227eofiktqe4kbl9fuvcjpom6iikom10k66966cuv7k
248. a0ub2qk7hlidrl36cv5cal2nvhq7b94pl9t5d4g00kocpj0
249. 8epk5ga7p9heb6qjk9u0lh6b2nr7jt37osup2ah79ks4ce3
250. h327k1mkmituesbkc]
251. Imagepath: c:\windows\system32\java.exe
252. 3760
253. Javacall
254.  
255. Method: getResourceAsStream
256. Params: [/-7koglsldpr87c4n1fmgnlm5r57o5jckouk9aa2358gkq695j
257. 44ql7ltofehm04iej3t5svja9lar5f886b8dj8rktd6jkiv
258. vvj3ijtjqtenue36cark2gdsa4pb5t2ic7gecbsc4252piv
259. fceaptu70i39fptvl1q21j1aph742hpffodqj4e7qbkfg66
260. fra1qbac0bh2qh3qusplnmg94kjkscb82lg9tlk3247jvjl
261. 8v3fsr078g4hbp2cf]
262. Imagepath: c:\windows\system32\java.exe
263. 3760
264. Javacall
265.  
266. Method: getResourceAsStream
267. Params: [/-37kf42mjrp9har7i5rileuv70n60dcp94712emjeor6noil5
268. 846567fnbieuta29abj13p1sj3hhe63aoi2pqjur0evnnib
269. mmvrji5q9r8lffd6ikdhp310sga7i8v0om7n4r6jviq392c
270. 78mu9op9mfivi7k5lrc18vbcsksc39hi7d71bo1dp7ihchj
271. ne795mi4iqc46n7sf08am3lrcsq1rhdn8slj5je53d43qk6
272. 68o4b2o99u9f2rngg]
273. Imagepath: c:\windows\system32\java.exe
274. 3760
275. Regkey
276. Added
277.  
278. \REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
279. 3760
280. Regkey
281. Added
282.  
283. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
284. 3760
285. 13 Repeated items skipped
286. Javacall
287.  
288. Method: getResourceAsStream
289. Params: [/617llbcc0ngi10p2lgh0qnojk1tj0msl5so0s5f2nfcq4gn8i
290. uqgilhaspo40dqquapatote391rv0q4sgvfgjdobq0cani4
291. 015miebeh53sbfdgtfhqgl1lqbq59ru3svcdnv0c4a43n5i
292. k5uevad4rg5vtg4bn2udqbcofd0jq74vusn60r5rphpn8b1
293. ievjf8fpll8cjgbdc2rf5fou6dh04p4p81rdfao1dj4mgpr
294. 1pirnp1kp2mp4n800]
295. Imagepath: c:\windows\system32\java.exe
296. 3760
297. Javacall
298.  
299. Method: loadFromXML
300. Params: [0x02E5F0C4]
301. Imagepath: c:\windows\system32\java.exe
302. 3760
303. Javacall
304.  
305. Method: getResourceAsStream
306. Params: [/ivDDwrKZ/kBadKz/hGfrGvG/mMfYL.qHG]
307. Imagepath: c:\windows\system32\java.exe
308. 3760
309. Javacall
310.  
311. Method: getResourceAsStream
312. Params: [/-3blebl3sqtb7326he2gdf7fs72bptlogtagqhlf9atkq8auj
313. 6muu21sk81t6hdrf62ss8tq08lbfsn33en81543khj5fgdv
314. 3njb9kduqq3bj269bedefg08kmepu5hiev8rdl1h173lgbp
315. jpmb4vfasusbdpfuqp283cc6029kvct7c0vq26np5ijllso
316. 90onsj2mgu5trvmkt52lfsfn29cv7baq8n897vmhdr9kf0i
317. 26dfi9tq99d4ssnar]
318. Imagepath: c:\windows\system32\java.exe
319. 3760
320. Javacall
321.  
322. Method: getResourceAsStream
323. Params: [/-5ggim0caqin4cikuicorrf12q1uvkk1ki07oa7fvqudb2kp1
324. 3l3kdtucq3qr9blm8qjlm1doae3tea80517i6v48m3p4dc4
325. 8r5652cfvg5hd8ieteujd29gppc3ql3n6a04q4nibip1ke7
326. 0p9f94aamummfeklicjcvlmbp07vv6geqegfbcm25344qqc
327. 125rok7j3rv2qvopfm8faih7e144ahdihfqmuv5f2mbe29v
328. m69p6gtjmfmfgu2a3]
329. Imagepath: c:\windows\system32\java.exe
330. 3760
331. Javacall
332.  
333. Method: getResourceAsStream Imagepath: c:\windows\system32\java.exe
334. 3760
335. Javacall
336.  
337. Method: read
338. Params: [#NOT_STRING_VECTOR#]
339. Imagepath: c:\windows\system32\java.exe
340. 3760
341. Javacall
342.  
343. Method: read
344. Params: [#NOT_STRING_VECTOR#]
345. Imagepath: c:\windows\system32\java.exe
346. 3760
347. 3 Repeated items skipped
348. Regkey
349. Queryvalue
350.  
351. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
352. 3760
353. 3 Repeated items skipped
354. Regkey
355. Added
356.  
357. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows NT\CurrentVer
358. sion\Winlogon
359. 3760
360. Javacall
361.  
362. Method: loadFromXML
363. Params: [0x02F560DC]
364. Imagepath: c:\windows\system32\java.exe
365. 3760
366. Javacall
367.  
368. Method: read
369. Params: [#NOT_STRING_VECTOR#]
370. Imagepath: c:\windows\system32\java.exe
371. 3760
372. Javacall
373.  
374. Method: read
375. Params: [#NOT_STRING_VECTOR#]
376. Imagepath: c:\windows\system32\java.exe
377. 3760
378. 15 Repeated items skipped
379. Javacall
380.  
381. Method: read Imagepath: c:\windows\system32\java.exe
382. 3760
383. Javacall
384.  
385. Method: read Imagepath: c:\windows\system32\java.exe
386. 3760
387. 7 Repeated items skipped
388. Mutex
389.  
390. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
391. 3760
392. Mutex
393.  
394. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
395. 3760
396. Mutex
397.  
398. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
399. 3760
400. Mutex
401.  
402. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
403. 3760
404. Mutex
405.  
406. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
407. 3760
408. Mutex
409.  
410. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
411. ltS-1-5-21-1409082233-688789844-725345543-1003
412. 3760
413. Javacall
414.  
415. Method: CONSTRUCTOR
416. Params: [0x03269454]
417. Imagepath: c:\windows\system32\java.exe
418. 3760
419. Javacall
420.  
421. Method: getProperty
422. Params: [os.name]
423. Imagepath: c:\windows\system32\java.exe
424. 3760
425. Javacall
426.  
427. Method: getProperty
428. Params: [os.version]
429. Imagepath: c:\windows\system32\java.exe
430. 3760
431. Javacall
432.  
433. Method: createTempFile
434. Params: [Retrive, .vbs]
435. Imagepath: c:\windows\system32\java.exe
436. 3760
437. Javacall
438.  
439. Method: exec
440. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\DOCUME~1\admin\L
441. OCALS~1\Temp\Retrive8544709626358155237.vbs']
442. Imagepath: c:\windows\system32\java.exe
443. 3760
444. Malicious Alert
445. Malware Family
446.  
447. Message: Possible Adwind Indicator
448.  
449. Javacall
450.  
451. Method: exec
452. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\DOCUME~1\admin\L
453. OCALS~1\Temp\Retrive8544709626358155237.vbs', null, null]
454. Imagepath: c:\windows\system32\java.exe
455. 3760
456. File
457. Created
458.  
459. C:\Documents and Settings\admin\Local Settings\Temp\Retrive8544709626358155237.vbs
460. 3760
461. File
462. Close
463.  
464. C:\Documents and Settings\admin\Local Settings\Temp\Retrive8544709626358155237.vbs
465. 3760
466. File
467. Overwritten
468.  
469. C:\Documents and Settings\admin\Local Settings\Temp\Retrive8544709626358155237.vbs
470. 3760
471. Malicious Alert
472. Generic Non Exe Anomalous Activity
473.  
474. Message: File overwritten by non-executable
475.  
476. File
477. Close
478.  
479. C:\Documents and Settings\admin\Local Settings\Temp\Retrive8544709626358155237.vbs
480. MD5: e3be4a2dd9de5ea56e566c49555910cf
481. SHA1: 382104ffc87d550cf9db68346a116ddf73f06f7c
482. 3760 275
483. Process
484. Started
485.  
486. C:\WINDOWS\system32\cmd.exe
487. Parentname: C:\WINDOWS\system32\java.exe
488. Command Line: cmd.exe /C cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive8544709626358155237.vbs
489. MD5: 6d778e0f95447e6546553eeea709d03c
490. SHA1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
491. 3888 3760 389120
492. Malicious Alert
493. Misc Anom
494.  
495. Message: Process started from jar
496.  
497. Malicious Alert
498. Misc Anom
499.  
500. Message: Suspicious process
501.  
502. File
503. Open
504.  
505. C:
506. 3888
507. File
508. Close
509.  
510. C:
511. 3888
512. Malicious Alert
513. Hardware Tampering Activity
514.  
515. Message: Direct disk access
516.  
517. Mutex
518.  
519. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
520. 3888
521. Regkey
522. Added
523.  
524. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
525. 3888
526. Regkey
527. Added
528.  
529. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
530. ression Manager\
531. 3888
532. Regkey
533. Added
534.  
535. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
536. ression Manager\MSACM
537. 3888
538. Regkey
539. Added
540.  
541. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
542. ression Manager\
543. 3888
544. Regkey
545. Added
546.  
547. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
548. ression Manager\Priority v4.00
549. 3888
550. Process
551. Started
552.  
553. C:\WINDOWS\system32\cscript.exe
554. Parentname: C:\WINDOWS\system32\cmd.exe
555. Command Line: cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive8544709626358155237.vbs
556. MD5: 3c080025710f409484862a4373dafae0
557. SHA1: e1295ed82db58893993f00f804ca3df5b75ee327
558. 3900 3888 139264
559. File
560. Open
561.  
562. C:
563. 3900
564. File
565. Close
566.  
567. C:
568. 3900
569. File
570. Created
571.  
572. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5993622756038747265.vbs
573. 3880
574. File
575. Close
576.  
577. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5993622756038747265.vbs
578. 3880
579. File
580. Overwritten
581.  
582. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5993622756038747265.vbs
583. 3880
584. File
585. Close
586.  
587. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5993622756038747265.vbs
588. MD5: e3be4a2dd9de5ea56e566c49555910cf
589. SHA1: 382104ffc87d550cf9db68346a116ddf73f06f7c
590. 3880 275
591. Mutex
592.  
593. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
594. 3900
595. Process
596. Started
597.  
598. C:\WINDOWS\system32\cmd.exe
599. Parentname: C:\WINDOWS\system32\java.exe
600. Command Line: cmd.exe /C cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive5993622756038747265.vbs
601. MD5: 6d778e0f95447e6546553eeea709d03c
602. SHA1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
603. 3996 3880 389120
604. File
605. Open
606.  
607. C:
608. 3996
609. Regkey
610. Added
611.  
612. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
613. 3900
614. Regkey
615. Added
616.  
617. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
618. ression Manager\
619. 3900
620. Regkey
621. Added
622.  
623. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
624. ression Manager\MSACM
625. 3900
626. Regkey
627. Added
628.  
629. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
630. ression Manager\
631. 3900
632. Regkey
633. Added
634.  
635. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
636. ression Manager\Priority v4.00
637. 3900
638. File
639. Close
640.  
641. C:
642. 3996
643. Regkey
644. Queryvalue
645.  
646. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
647. 3900
648. Mutex
649.  
650. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
651. 3996
652. Mutex
653.  
654. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
655. 3900
656. Mutex
657.  
658. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
659. 3900
660. Mutex
661.  
662. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
663. 3900
664. Mutex
665.  
666. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
667. 3900
668. Mutex
669.  
670. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
671. 3900
672. Mutex
673.  
674. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
675. ltS-1-5-21-1409082233-688789844-725345543-1003
676. 3900
677. Regkey
678. Added
679.  
680. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
681. 3996
682. Regkey
683. Added
684.  
685. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
686. ression Manager\
687. 3996
688. Regkey
689. Added
690.  
691. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
692. ression Manager\MSACM
693. 3996
694. Regkey
695. Added
696.  
697. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
698. ression Manager\
699. 3996
700. Regkey
701. Added
702.  
703. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
704. ression Manager\Priority v4.00
705. 3996
706. Regkey
707. Added
708.  
709. \REGISTRY\MACHINE\Software\Microsoft\Windows Script Host\Settings
710. 3900
711. Regkey
712. Added
713.  
714. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows Script Host\S
715. ettings
716. 3900
717. Process
718. Started
719.  
720. C:\WINDOWS\system32\cscript.exe
721. Parentname: C:\WINDOWS\system32\cmd.exe
722. Command Line: cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive5993622756038747265.vbs
723. MD5: 3c080025710f409484862a4373dafae0
724. SHA1: e1295ed82db58893993f00f804ca3df5b75ee327
725. 4008 3996 139264
726. File
727. Open
728.  
729. C:
730. 4008
731. Regkey
732. Added
733.  
734. \REGISTRY\MACHINE\Software\Microsoft\WBEM\CIMOM
735. 3900
736. 3 Repeated items skipped
737. Regkey
738. Queryvalue
739.  
740. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
741. 3900
742. 2 Repeated items skipped
743. Wmiquery
744.  
745. Imagepath: C:\WINDOWS\system32\cscript.exe
746. 3900
747. Malicious Alert
748. Misc Anom
749.  
750. Message: Suspicious Evasion Activities
751.  
752. Process
753. Terminated
754.  
755. C:\WINDOWS\system32\cscript.exe
756. Parentname: C:\WINDOWS\system32\cmd.exe
757. Command Line: N/A
758. 3900 3888
759. Process
760. Terminated
761.  
762. C:\WINDOWS\system32\cmd.exe
763. Parentname: C:\WINDOWS\system32\java.exe
764. Command Line: N/A
765. 3888 3760
766. Javacall
767.  
768. Method: delete Imagepath: c:\windows\system32\java.exe
769. 3760
770. File
771. Delete
772.  
773. C:\Documents and Settings\admin\Local Settings\Temp\Retrive8544709626358155237.vbs
774. MD5: e3be4a2dd9de5ea56e566c49555910cf
775. SHA1: 382104ffc87d550cf9db68346a116ddf73f06f7c
776. 3760 275
777. Malicious Alert
778. Generic Non Exe Anomalous Activity
779.  
780. Message: File deleted by non-executable
781.  
782. Javacall
783.  
784. Method: createTempFile
785. Params: [Retrive, .vbs]
786. Imagepath: c:\windows\system32\java.exe
787. 3760
788. File
789. Created
790.  
791. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5781670612385944639.vbs
792. 3760
793. File
794. Close
795.  
796. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5781670612385944639.vbs
797. 3760
798. File
799. Overwritten
800.  
801. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5781670612385944639.vbs
802. 3760
803. File
804. Close
805.  
806. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5781670612385944639.vbs
807. MD5: 23d64aa62b580f8bea2de9e2c51a0446
808. SHA1: c23a027741d2f92c9ef5c52d9e464a25f7c25215
809. 3760 280
810. Javacall
811.  
812. Method: exec
813. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\DOCUME~1\admin\L
814. OCALS~1\Temp\Retrive5781670612385944639.vbs']
815. Imagepath: c:\windows\system32\java.exe
816. 3760
817. Javacall
818.  
819. Method: exec
820. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\DOCUME~1\admin\L
821. OCALS~1\Temp\Retrive5781670612385944639.vbs', null, null]
822. Imagepath: c:\windows\system32\java.exe
823. 3760
824. Process
825. Started
826.  
827. C:\WINDOWS\system32\cmd.exe
828. Parentname: C:\WINDOWS\system32\java.exe
829. Command Line: cmd.exe /C cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive5781670612385944639.vbs
830. MD5: 6d778e0f95447e6546553eeea709d03c
831. SHA1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
832. 4036 3760 389120
833. File
834. Open
835.  
836. C:
837. 4036
838. File
839. Close
840.  
841. C:
842. 4008
843. Mutex
844.  
845. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
846. 4008
847. File
848. Close
849.  
850. C:
851. 4036
852. Regkey
853. Added
854.  
855. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
856. 4008
857. Regkey
858. Added
859.  
860. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
861. ression Manager\
862. 4008
863. Regkey
864. Added
865.  
866. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
867. ression Manager\MSACM
868. 4008
869. Regkey
870. Added
871.  
872. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
873. ression Manager\
874. 4008
875. Regkey
876. Added
877.  
878. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
879. ression Manager\Priority v4.00
880. 4008
881. Mutex
882.  
883. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
884. 4036
885. Regkey
886. Queryvalue
887.  
888. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
889. 4008
890. Regkey
891. Added
892.  
893. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
894. 4036
895. Regkey
896. Added
897.  
898. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
899. ression Manager\
900. 4036
901. Regkey
902. Added
903.  
904. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
905. ression Manager\MSACM
906. 4036
907. Regkey
908. Added
909.  
910. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
911. ression Manager\
912. 4036
913. Regkey
914. Added
915.  
916. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
917. ression Manager\Priority v4.00
918. 4036
919. Mutex
920.  
921. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
922. 4008
923. Mutex
924.  
925. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
926. 4008
927. Mutex
928.  
929. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
930. 4008
931. Mutex
932.  
933. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
934. 4008
935. Mutex
936.  
937. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
938. 4008
939. Mutex
940.  
941. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
942. ltS-1-5-21-1409082233-688789844-725345543-1003
943. 4008
944. Regkey
945. Added
946.  
947. \REGISTRY\MACHINE\Software\Microsoft\Windows Script Host\Settings
948. 4008
949. Regkey
950. Added
951.  
952. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows Script Host\S
953. ettings
954. 4008
955. Process
956. Started
957.  
958. C:\WINDOWS\system32\cscript.exe
959. Parentname: C:\WINDOWS\system32\cmd.exe
960. Command Line: cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive5781670612385944639.vbs
961. MD5: 3c080025710f409484862a4373dafae0
962. SHA1: e1295ed82db58893993f00f804ca3df5b75ee327
963. 4048 4036 139264
964. Mutex
965.  
966. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
967. 4048
968. Regkey
969. Added
970.  
971. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
972. 4048
973. Regkey
974. Added
975.  
976. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
977. ression Manager\
978. 4048
979. Regkey
980. Added
981.  
982. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
983. ression Manager\MSACM
984. 4048
985. Regkey
986. Added
987.  
988. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
989. ression Manager\
990. 4048
991. Regkey
992. Added
993.  
994. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
995. ression Manager\Priority v4.00
996. 4048
997. Regkey
998. Queryvalue
999.  
1000. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1001. 4048
1002. Regkey
1003. Added
1004.  
1005. \REGISTRY\MACHINE\Software\Microsoft\WBEM\CIMOM
1006. 4008
1007. 3 Repeated items skipped
1008. Regkey
1009. Queryvalue
1010.  
1011. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1012. 4008
1013. Mutex
1014.  
1015. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1016. 4048
1017. Mutex
1018.  
1019. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1020. 4048
1021. Mutex
1022.  
1023. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1024. 4048
1025. Mutex
1026.  
1027. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1028. 4048
1029. Mutex
1030.  
1031. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1032. 4048
1033. Mutex
1034.  
1035. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
1036. ltS-1-5-21-1409082233-688789844-725345543-1003
1037. 4048
1038. Regkey
1039. Queryvalue
1040.  
1041. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1042. 4008
1043. Regkey
1044. Added
1045.  
1046. \REGISTRY\MACHINE\Software\Microsoft\Windows Script Host\Settings
1047. 4048
1048. Regkey
1049. Added
1050.  
1051. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows Script Host\S
1052. ettings
1053. 4048
1054. Wmiquery
1055.  
1056. Imagepath: C:\WINDOWS\system32\cscript.exe
1057. 4008
1058. Process
1059. Terminated
1060.  
1061. C:\WINDOWS\system32\cscript.exe
1062. Parentname: C:\WINDOWS\system32\cmd.exe
1063. Command Line: N/A
1064. 4008 3996
1065. Process
1066. Terminated
1067.  
1068. C:\WINDOWS\system32\cmd.exe
1069. Parentname: C:\WINDOWS\system32\java.exe
1070. Command Line: N/A
1071. 3996 3880
1072. File
1073. Created
1074.  
1075. C:\Documents and Settings\admin\Local Settings\Temp\Retrive7504425008840173293.vbs
1076. 3880
1077. File
1078. Close
1079.  
1080. C:\Documents and Settings\admin\Local Settings\Temp\Retrive7504425008840173293.vbs
1081. 3880
1082. File
1083. Overwritten
1084.  
1085. C:\Documents and Settings\admin\Local Settings\Temp\Retrive7504425008840173293.vbs
1086. 3880
1087. File
1088. Close
1089.  
1090. C:\Documents and Settings\admin\Local Settings\Temp\Retrive7504425008840173293.vbs
1091. MD5: 23d64aa62b580f8bea2de9e2c51a0446
1092. SHA1: c23a027741d2f92c9ef5c52d9e464a25f7c25215
1093. 3880 280
1094. Process
1095. Started
1096.  
1097. C:\WINDOWS\system32\cmd.exe
1098. Parentname: C:\WINDOWS\system32\java.exe
1099. Command Line: cmd.exe /C cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive7504425008840173293.vbs
1100. MD5: 6d778e0f95447e6546553eeea709d03c
1101. SHA1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1
1102. 4076 3880 389120
1103. Mutex
1104.  
1105. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
1106. 4076
1107. Regkey
1108. Added
1109.  
1110. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
1111. 4076
1112. Regkey
1113. Added
1114.  
1115. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1116. ression Manager\
1117. 4076
1118. Regkey
1119. Added
1120.  
1121. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1122. ression Manager\MSACM
1123. 4076
1124. Regkey
1125. Added
1126.  
1127. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1128. ression Manager\
1129. 4076
1130. Regkey
1131. Added
1132.  
1133. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1134. ression Manager\Priority v4.00
1135. 4076
1136. Regkey
1137. Added
1138.  
1139. \REGISTRY\MACHINE\Software\Microsoft\WBEM\CIMOM
1140. 4048
1141. 3 Repeated items skipped
1142. Regkey
1143. Queryvalue
1144.  
1145. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1146. 4048
1147. 2 Repeated items skipped
1148. Wmiquery
1149.  
1150. Imagepath: C:\WINDOWS\system32\cscript.exe
1151. 4048
1152. Process
1153. Started
1154.  
1155. C:\WINDOWS\system32\cscript.exe
1156. Parentname: C:\WINDOWS\system32\cmd.exe
1157. Command Line: cscript.exe C:\DOCUME~1\admin\LOCALS~1\Temp\Retrive7504425008840173293.vbs
1158. MD5: 3c080025710f409484862a4373dafae0
1159. SHA1: e1295ed82db58893993f00f804ca3df5b75ee327
1160. 112 4076 139264
1161. Process
1162. Terminated
1163.  
1164. C:\WINDOWS\system32\cscript.exe
1165. Parentname: C:\WINDOWS\system32\cmd.exe
1166. Command Line: N/A
1167. 4048 4036
1168. Process
1169. Terminated
1170.  
1171. C:\WINDOWS\system32\cmd.exe
1172. Parentname: C:\WINDOWS\system32\java.exe
1173. Command Line: N/A
1174. 4036 3760
1175. Javacall
1176.  
1177. Method: delete Imagepath: c:\windows\system32\java.exe
1178. 3760
1179. File
1180. Delete
1181.  
1182. C:\Documents and Settings\admin\Local Settings\Temp\Retrive5781670612385944639.vbs
1183. MD5: 23d64aa62b580f8bea2de9e2c51a0446
1184. SHA1: c23a027741d2f92c9ef5c52d9e464a25f7c25215
1185. 3760 280
1186. Javacall
1187.  
1188. Method: CONSTRUCTOR
1189. Params: [/etc/lsb-release-crunchbang]
1190. Imagepath: c:\windows\system32\java.exe
1191. 3760
1192. Javacall
1193.  
1194. Method: CONSTRUCTOR
1195. Params: [/etc/lsb-release]
1196. Imagepath: c:\windows\system32\java.exe
1197. 3760
1198. Javacall
1199.  
1200. Method: CONSTRUCTOR
1201. Params: [/etc/os-release]
1202. Imagepath: c:\windows\system32\java.exe
1203. 3760
1204. Javacall
1205.  
1206. Method: getProperty
1207. Params: [os.name]
1208. Imagepath: c:\windows\system32\java.exe
1209. 3760
1210. Javacall
1211.  
1212. Method: getProperty
1213. Params: [os.version]
1214. Imagepath: c:\windows\system32\java.exe
1215. 3760
1216. Javacall
1217.  
1218. Method: CONSTRUCTOR
1219. Params: [C:\Program Files\Oracle\VirtualBox Guest Additions]
1220. Imagepath: c:\windows\system32\java.exe
1221. 3760
1222. Javacall
1223.  
1224. Method: getProperty
1225. Params: [java.home]
1226. Imagepath: c:\windows\system32\java.exe
1227. 3760
1228. Javacall
1229.  
1230. Method: CONSTRUCTOR
1231. Params: [C:\Documents and Settings\admin\Application Data\O
1232. racle\bin\javaw.exe]
1233. Imagepath: c:\windows\system32\java.exe
1234. 3760
1235. Javacall
1236.  
1237. Method: exec
1238. Params: [ 'xcopy' '"C:\Program Files\Java\jre1.7.0_13"' '"C
1239. :\Documents and Settings\admin\Application Data
1240. \Oracle\"' '/e']
1241. Imagepath: c:\windows\system32\java.exe
1242. 3760
1243. Javacall
1244.  
1245. Method: exec
1246. Params: [ 'xcopy' '"C:\Program Files\Java\jre1.7.0_13"' '"C
1247. :\Documents and Settings\admin\Application Data
1248. \Oracle\"' '/e', null, null]
1249. Imagepath: c:\windows\system32\java.exe
1250. 3760
1251. Mutex
1252.  
1253. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
1254. 112
1255. Regkey
1256. Added
1257.  
1258. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
1259. 112
1260. Regkey
1261. Added
1262.  
1263. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1264. ression Manager\
1265. 112
1266. Regkey
1267. Added
1268.  
1269. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1270. ression Manager\MSACM
1271. 112
1272. Regkey
1273. Added
1274.  
1275. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1276. ression Manager\
1277. 112
1278. Regkey
1279. Added
1280.  
1281. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1282. ression Manager\Priority v4.00
1283. 112
1284. Regkey
1285. Queryvalue
1286.  
1287. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1288. 112
1289. Process
1290. Started
1291.  
1292. C:\WINDOWS\system32\xcopy.exe
1293. Parentname: C:\WINDOWS\system32\java.exe
1294. Command Line: xcopy "C:\Program Files\Java\jre1.7.0_13" "C:\Documents and Settings\admin\Application Data\Oracle\" /e
1295. MD5: 9f45d6316d06ec8fac0cf07279823dde
1296. SHA1: 576ea2d042112e80c1e2e86e62b0bd584dc06417
1297. 208 3760 30720
1298. Mutex
1299.  
1300. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1301. 112
1302. Mutex
1303.  
1304. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1305. 112
1306. Mutex
1307.  
1308. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1309. 112
1310. Mutex
1311.  
1312. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1313. 112
1314. Mutex
1315.  
1316. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
1317. 112
1318. Mutex
1319.  
1320. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
1321. ltS-1-5-21-1409082233-688789844-725345543-1003
1322. 112
1323. Mutex
1324.  
1325. \BaseNamedObjects\SHIMLIB_LOG_MUTEX
1326. 208
1327. Regkey
1328. Added
1329.  
1330. \REGISTRY\MACHINE\Software\Microsoft\Windows Script Host\Settings
1331. 112
1332. Regkey
1333. Added
1334.  
1335. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows Script Host\S
1336. ettings
1337. 112
1338. Regkey
1339. Queryvalue
1340.  
1341. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1342. 208
1343. Regkey
1344. Queryvalue
1345.  
1346. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\"Identifier"
1347. 208
1348. Regkey
1349. Added
1350.  
1351. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio
1352. 208
1353. Regkey
1354. Added
1355.  
1356. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1357. ression Manager\
1358. 208
1359. Regkey
1360. Added
1361.  
1362. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1363. ression Manager\MSACM
1364. 208
1365. Regkey
1366. Added
1367.  
1368. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1369. ression Manager\
1370. 208
1371. Regkey
1372. Added
1373.  
1374. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
1375. ression Manager\Priority v4.00
1376. 208
1377. Folder
1378. Date Change
1379.  
1380. C:\Documents and Settings\admin\Application Data\Oracle
1381. 208
1382. File
1383. Date Change
1384.  
1385. C:\Documents and Settings\admin\Application Data\Oracle\COPYRIGHT
1386. 208 3409
1387. File
1388. Date Change
1389.  
1390. C:\Documents and Settings\admin\Application Data\Oracle\COPYRIGHT
1391. 208 3409
1392. File
1393. Date Change
1394.  
1395. C:\Documents and Settings\admin\Application Data\Oracle\LICENSE
1396. 208 41
1397. File
1398. Date Change
1399.  
1400. C:\Documents and Settings\admin\Application Data\Oracle\LICENSE
1401. 208 41
1402. File
1403. Date Change
1404.  
1405. C:\Documents and Settings\admin\Application Data\Oracle\README.txt
1406. 208 47
1407. File
1408. Date Change
1409.  
1410. C:\Documents and Settings\admin\Application Data\Oracle\README.txt
1411. 208 47
1412. Wmiquery
1413.  
1414. Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe
1415. 3616
1416. File
1417. Date Change
1418.  
1419. C:\Documents and Settings\admin\Application Data\Oracle\release
1420. 208 450
1421. File
1422. Date Change
1423.  
1424. C:\Documents and Settings\admin\Application Data\Oracle\release
1425. 208 450
1426. File
1427. Date Change
1428.  
1429. C:\Documents and Settings\admin\Application Data\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
1430. 208 125105
1431. File
1432. Date Change
1433.  
1434. C:\Documents and Settings\admin\Application Data\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
1435. 208 125105
1436. File
1437. Date Change
1438.  
1439. C:\Documents and Settings\admin\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt
1440. 208 175640
1441. File
1442. Date Change
1443.  
1444. C:\Documents and Settings\admin\Application Data\Oracle\THIRDPARTYLICENSEREADME.txt
1445. 208 175640
1446. File
1447. Date Change
1448.  
1449. C:\Documents and Settings\admin\Application Data\Oracle\Welcome.html
1450. 208 983
1451. File
1452. Date Change
1453.  
1454. C:\Documents and Settings\admin\Application Data\Oracle\Welcome.html
1455. 208 983
1456. Folder
1457. Date Change
1458.  
1459. C:\Documents and Settings\admin\Application Data\Oracle\bin
1460. 208
1461. File
1462. Date Change
1463.  
1464. C:\Documents and Settings\admin\Application Data\Oracle\bin\awt.dll
1465. 208 1168800
1466. File
1467. Date Change
1468.  
1469. C:\Documents and Settings\admin\Application Data\Oracle\bin\awt.dll
1470. 208 1168800
1471. File
1472. Date Change
1473.  
1474. C:\Documents and Settings\admin\Application Data\Oracle\bin\axbridge.dll
1475. 208 142240
1476. File
1477. Date Change
1478.  
1479. C:\Documents and Settings\admin\Application Data\Oracle\bin\axbridge.dll
1480. 208 142240
1481. File
1482. Date Change
1483.  
1484. C:\Documents and Settings\admin\Application Data\Oracle\bin\dcpr.dll
1485. 208 141728
1486. Regkey
1487. Added
1488.  
1489. \REGISTRY\MACHINE\Software\Microsoft\WBEM\CIMOM
1490. 112
1491. 2 Repeated items skipped
1492. Regkey
1493. Queryvalue
1494.  
1495. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1496. 112
1497. File
1498. Date Change
1499.  
1500. C:\Documents and Settings\admin\Application Data\Oracle\bin\dcpr.dll
1501. 208 141728
1502. Regkey
1503. Queryvalue
1504.  
1505. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1506. 112
1507. File
1508. Date Change
1509.  
1510. C:\Documents and Settings\admin\Application Data\Oracle\bin\decora-sse.dll
1511. 208 62368
1512. File
1513. Date Change
1514.  
1515. C:\Documents and Settings\admin\Application Data\Oracle\bin\decora-sse.dll
1516. 208 62368
1517. File
1518. Date Change
1519.  
1520. C:\Documents and Settings\admin\Application Data\Oracle\bin\deploy.dll
1521. 208 357792
1522. Wmiquery
1523.  
1524. Imagepath: C:\WINDOWS\system32\cscript.exe
1525. 112
1526. File
1527. Date Change
1528.  
1529. C:\Documents and Settings\admin\Application Data\Oracle\bin\deploy.dll
1530. 208 357792
1531. Process
1532. Terminated
1533.  
1534. C:\WINDOWS\system32\cscript.exe
1535. Parentname: C:\WINDOWS\system32\cmd.exe
1536. Command Line: N/A
1537. 112 4076
1538. Process
1539. Terminated
1540.  
1541. C:\WINDOWS\system32\cmd.exe
1542. Parentname: C:\WINDOWS\system32\java.exe
1543. Command Line: N/A
1544. 4076 3880
1545. File
1546. Date Change
1547.  
1548. C:\Documents and Settings\admin\Application Data\Oracle\bin\dt_shmem.dll
1549. 208 24992
1550. File
1551. Date Change
1552.  
1553. C:\Documents and Settings\admin\Application Data\Oracle\bin\dt_shmem.dll
1554. 208 24992
1555. File
1556. Date Change
1557.  
1558. C:\Documents and Settings\admin\Application Data\Oracle\bin\dt_socket.dll
1559. 208 21408
1560. File
1561. Date Change
1562.  
1563. C:\Documents and Settings\admin\Application Data\Oracle\bin\dt_socket.dll
1564. 208 21408
1565. File
1566. Date Change
1567.  
1568. C:\Documents and Settings\admin\Application Data\Oracle\bin\eula.dll
1569. 208 108448
1570. File
1571. Date Change
1572.  
1573. C:\Documents and Settings\admin\Application Data\Oracle\bin\eula.dll
1574. 208 108448
1575. File
1576. Date Change
1577.  
1578. C:\Documents and Settings\admin\Application Data\Oracle\bin\fontmanager.dll
1579. 208 164256
1580. File
1581. Date Change
1582.  
1583. C:\Documents and Settings\admin\Application Data\Oracle\bin\fontmanager.dll
1584. 208 164256
1585. File
1586. Date Change
1587.  
1588. C:\Documents and Settings\admin\Application Data\Oracle\bin\fxplugins.dll
1589. 208 188320
1590. File
1591. Date Change
1592.  
1593. C:\Documents and Settings\admin\Application Data\Oracle\bin\fxplugins.dll
1594. 208 188320
1595. File
1596. Date Change
1597.  
1598. C:\Documents and Settings\admin\Application Data\Oracle\bin\glass.dll
1599. 208 157088
1600. File
1601. Date Change
1602.  
1603. C:\Documents and Settings\admin\Application Data\Oracle\bin\glass.dll
1604. 208 157088
1605. File
1606. Date Change
1607.  
1608. C:\Documents and Settings\admin\Application Data\Oracle\bin\glib-lite.dll
1609. 208 407968
1610. File
1611. Date Change
1612.  
1613. C:\Documents and Settings\admin\Application Data\Oracle\bin\glib-lite.dll
1614. 208 407968
1615. File
1616. Date Change
1617.  
1618. C:\Documents and Settings\admin\Application Data\Oracle\bin\gstreamer-lite.dll
1619. 208 505248
1620. File
1621. Date Change
1622.  
1623. C:\Documents and Settings\admin\Application Data\Oracle\bin\gstreamer-lite.dll
1624. 208 505248
1625. File
1626. Date Change
1627.  
1628. C:\Documents and Settings\admin\Application Data\Oracle\bin\hprof.dll
1629. 208 132000
1630. File
1631. Date Change
1632.  
1633. C:\Documents and Settings\admin\Application Data\Oracle\bin\hprof.dll
1634. 208 132000
1635. File
1636. Date Change
1637.  
1638. C:\Documents and Settings\admin\Application Data\Oracle\bin\installer.dll
1639. 208 191904
1640. File
1641. Date Change
1642.  
1643. C:\Documents and Settings\admin\Application Data\Oracle\bin\installer.dll
1644. 208 191904
1645. File
1646. Date Change
1647.  
1648. C:\Documents and Settings\admin\Application Data\Oracle\bin\instrument.dll
1649. 208 114592
1650. File
1651. Date Change
1652.  
1653. C:\Documents and Settings\admin\Application Data\Oracle\bin\instrument.dll
1654. 208 114592
1655. File
1656. Date Change
1657.  
1658. C:\Documents and Settings\admin\Application Data\Oracle\bin\j2pcsc.dll
1659. 208 15776
1660. File
1661. Date Change
1662.  
1663. C:\Documents and Settings\admin\Application Data\Oracle\bin\j2pcsc.dll
1664. 208 15776
1665. File
1666. Date Change
1667.  
1668. C:\Documents and Settings\admin\Application Data\Oracle\bin\j2pkcs11.dll
1669. 208 50080
1670. File
1671. Date Change
1672.  
1673. C:\Documents and Settings\admin\Application Data\Oracle\bin\j2pkcs11.dll
1674. 208 50080
1675. File
1676. Date Change
1677.  
1678. C:\Documents and Settings\admin\Application Data\Oracle\bin\jaas_nt.dll
1679. 208 19360
1680. File
1681. Date Change
1682.  
1683. C:\Documents and Settings\admin\Application Data\Oracle\bin\jaas_nt.dll
1684. 208 19360
1685. File
1686. Date Change
1687.  
1688. C:\Documents and Settings\admin\Application Data\Oracle\bin\jabswitch.exe
1689. 208 48032
1690. File
1691. Date Change
1692.  
1693. C:\Documents and Settings\admin\Application Data\Oracle\bin\jabswitch.exe
1694. 208 48032
1695. File
1696. Date Change
1697.  
1698. C:\Documents and Settings\admin\Application Data\Oracle\bin\java-rmi.exe
1699. 208 15264
1700. File
1701. Date Change
1702.  
1703. C:\Documents and Settings\admin\Application Data\Oracle\bin\java-rmi.exe
1704. 208 15264
1705. File
1706. Date Change
1707.  
1708. C:\Documents and Settings\admin\Application Data\Oracle\bin\java.dll
1709. 208 119712
1710. File
1711. Date Change
1712.  
1713. C:\Documents and Settings\admin\Application Data\Oracle\bin\java.dll
1714. 208 119712
1715. File
1716. Date Change
1717.  
1718. C:\Documents and Settings\admin\Application Data\Oracle\bin\java.exe
1719. 208 174496
1720. File
1721. Date Change
1722.  
1723. C:\Documents and Settings\admin\Application Data\Oracle\bin\java.exe
1724. 208 174496
1725. File
1726. Date Change
1727.  
1728. C:\Documents and Settings\admin\Application Data\Oracle\bin\JavaAccessBridge.dll
1729. 208 182272
1730. File
1731. Date Change
1732.  
1733. C:\Documents and Settings\admin\Application Data\Oracle\bin\JavaAccessBridge.dll
1734. 208 182272
1735. File
1736. Date Change
1737.  
1738. C:\Documents and Settings\admin\Application Data\Oracle\bin\javacpl.cpl
1739. 208 143872
1740. File
1741. Date Change
1742.  
1743. C:\Documents and Settings\admin\Application Data\Oracle\bin\javacpl.cpl
1744. 208 143872
1745. File
1746. Date Change
1747.  
1748. C:\Documents and Settings\admin\Application Data\Oracle\bin\javacpl.exe
1749. 208 65440
1750. File
1751. Date Change
1752.  
1753. C:\Documents and Settings\admin\Application Data\Oracle\bin\javacpl.exe
1754. 208 65440
1755. File
1756. Date Change
1757.  
1758. C:\Documents and Settings\admin\Application Data\Oracle\bin\javafx-font.dll
1759. 208 241568
1760. File
1761. Date Change
1762.  
1763. C:\Documents and Settings\admin\Application Data\Oracle\bin\javafx-font.dll
1764. 208 241568
1765. File
1766. Date Change
1767.  
1768. C:\Documents and Settings\admin\Application Data\Oracle\bin\javafx-iio.dll
1769. 208 187808
1770. File
1771. Date Change
1772.  
1773. C:\Documents and Settings\admin\Application Data\Oracle\bin\javafx-iio.dll
1774. 208 187808
1775. File
1776. Date Change
1777.  
1778. C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
1779. 208 174496
1780. File
1781. Date Change
1782.  
1783. C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
1784. 208 174496
1785. File
1786. Date Change
1787.  
1788. C:\Documents and Settings\admin\Application Data\Oracle\bin\javaws.exe
1789. 208 262560
1790. File
1791. Date Change
1792.  
1793. C:\Documents and Settings\admin\Application Data\Oracle\bin\javaws.exe
1794. 208 262560
1795. File
1796. Date Change
1797.  
1798. C:\Documents and Settings\admin\Application Data\Oracle\bin\java_crw_demo.dll
1799. 208 23456
1800. File
1801. Date Change
1802.  
1803. C:\Documents and Settings\admin\Application Data\Oracle\bin\java_crw_demo.dll
1804. 208 23456
1805. File
1806. Date Change
1807.  
1808. C:\Documents and Settings\admin\Application Data\Oracle\bin\jawt.dll
1809. 208 13728
1810. File
1811. Date Change
1812.  
1813. C:\Documents and Settings\admin\Application Data\Oracle\bin\jawt.dll
1814. 208 13728
1815. File
1816. Date Change
1817.  
1818. C:\Documents and Settings\admin\Application Data\Oracle\bin\JAWTAccessBridge.dll
1819. 208 34816
1820. File
1821. Date Change
1822.  
1823. C:\Documents and Settings\admin\Application Data\Oracle\bin\JAWTAccessBridge.dll
1824. 208 34816
1825. File
1826. Date Change
1827.  
1828. C:\Documents and Settings\admin\Application Data\Oracle\bin\JdbcOdbc.dll
1829. 208 45472
1830. File
1831. Date Change
1832.  
1833. C:\Documents and Settings\admin\Application Data\Oracle\bin\JdbcOdbc.dll
1834. 208 45472
1835. File
1836. Date Change
1837.  
1838. C:\Documents and Settings\admin\Application Data\Oracle\bin\jdwp.dll
1839. 208 164256
1840. File
1841. Date Change
1842.  
1843. C:\Documents and Settings\admin\Application Data\Oracle\bin\jdwp.dll
1844. 208 164256
1845. File
1846. Date Change
1847.  
1848. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfr.dll
1849. 208 19360
1850. File
1851. Date Change
1852.  
1853. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfr.dll
1854. 208 19360
1855. File
1856. Date Change
1857.  
1858. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfxmedia.dll
1859. 208 108448
1860. File
1861. Date Change
1862.  
1863. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfxmedia.dll
1864. 208 108448
1865. File
1866. Date Change
1867.  
1868. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfxwebkit.dll
1869. 208 11891104
1870. File
1871. Date Change
1872.  
1873. C:\Documents and Settings\admin\Application Data\Oracle\bin\jfxwebkit.dll
1874. 208 11891104
1875. File
1876. Date Change
1877.  
1878. C:\Documents and Settings\admin\Application Data\Oracle\bin\jli.dll
1879. 208 142240
1880. File
1881. Date Change
1882.  
1883. C:\Documents and Settings\admin\Application Data\Oracle\bin\jli.dll
1884. 208 142240
1885. File
1886. Date Change
1887.  
1888. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2iexp.dll
1889. 208 197024
1890. File
1891. Date Change
1892.  
1893. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2iexp.dll
1894. 208 197024
1895. File
1896. Date Change
1897.  
1898. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2launcher.exe
1899. 208 40352
1900. File
1901. Date Change
1902.  
1903. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2launcher.exe
1904. 208 40352
1905. File
1906. Date Change
1907.  
1908. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2native.dll
1909. 208 16288
1910. File
1911. Date Change
1912.  
1913. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2native.dll
1914. 208 16288
1915. File
1916. Date Change
1917.  
1918. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2ssv.dll
1919. 208 170912
1920. File
1921. Date Change
1922.  
1923. C:\Documents and Settings\admin\Application Data\Oracle\bin\jp2ssv.dll
1924. 208 170912
1925. File
1926. Date Change
1927.  
1928. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpeg.dll
1929. 208 144800
1930. File
1931. Date Change
1932.  
1933. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpeg.dll
1934. 208 144800
1935. File
1936. Date Change
1937.  
1938. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpicom.dll
1939. 208 93088
1940. File
1941. Date Change
1942.  
1943. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpicom.dll
1944. 208 93088
1945. File
1946. Date Change
1947.  
1948. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpiexp.dll
1949. 208 154016
1950. File
1951. Date Change
1952.  
1953. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpiexp.dll
1954. 208 154016
1955. File
1956. Date Change
1957.  
1958. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpinscp.dll
1959. 208 103328
1960. File
1961. Date Change
1962.  
1963. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpinscp.dll
1964. 208 103328
1965. File
1966. Date Change
1967.  
1968. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpioji.dll
1969. 208 68512
1970. File
1971. Date Change
1972.  
1973. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpioji.dll
1974. 208 68512
1975. File
1976. Date Change
1977.  
1978. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpishare.dll
1979. 208 140704
1980. File
1981. Date Change
1982.  
1983. C:\Documents and Settings\admin\Application Data\Oracle\bin\jpishare.dll
1984. 208 140704
1985. File
1986. Date Change
1987.  
1988. C:\Documents and Settings\admin\Application Data\Oracle\bin\jqs.exe
1989. 208 170912
1990. File
1991. Date Change
1992.  
1993. C:\Documents and Settings\admin\Application Data\Oracle\bin\jqs.exe
1994. 208 170912
1995. File
1996. Date Change
1997.  
1998. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsdt.dll
1999. 208 16288
2000. File
2001. Date Change
2002.  
2003. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsdt.dll
2004. 208 16288
2005. File
2006. Date Change
2007.  
2008. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsound.dll
2009. 208 30624
2010. File
2011. Date Change
2012.  
2013. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsound.dll
2014. 208 30624
2015. File
2016. Date Change
2017.  
2018. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsoundds.dll
2019. 208 27040
2020. File
2021. Date Change
2022.  
2023. C:\Documents and Settings\admin\Application Data\Oracle\bin\jsoundds.dll
2024. 208 27040
2025. File
2026. Date Change
2027.  
2028. C:\Documents and Settings\admin\Application Data\Oracle\bin\kcms.dll
2029. 208 177568
2030. File
2031. Date Change
2032.  
2033. C:\Documents and Settings\admin\Application Data\Oracle\bin\kcms.dll
2034. 208 177568
2035. File
2036. Date Change
2037.  
2038. C:\Documents and Settings\admin\Application Data\Oracle\bin\keytool.exe
2039. 208 15264
2040. File
2041. Date Change
2042.  
2043. C:\Documents and Settings\admin\Application Data\Oracle\bin\keytool.exe
2044. 208 15264
2045. File
2046. Date Change
2047.  
2048. C:\Documents and Settings\admin\Application Data\Oracle\bin\kinit.exe
2049. 208 15264
2050. File
2051. Date Change
2052.  
2053. C:\Documents and Settings\admin\Application Data\Oracle\bin\kinit.exe
2054. 208 15264
2055. File
2056. Date Change
2057.  
2058. C:\Documents and Settings\admin\Application Data\Oracle\bin\klist.exe
2059. 208 15264
2060. File
2061. Date Change
2062.  
2063. C:\Documents and Settings\admin\Application Data\Oracle\bin\klist.exe
2064. 208 15264
2065. File
2066. Date Change
2067.  
2068. C:\Documents and Settings\admin\Application Data\Oracle\bin\ktab.exe
2069. 208 15264
2070. File
2071. Date Change
2072.  
2073. C:\Documents and Settings\admin\Application Data\Oracle\bin\ktab.exe
2074. 208 15264
2075. File
2076. Date Change
2077.  
2078. C:\Documents and Settings\admin\Application Data\Oracle\bin\libxml2.dll
2079. 208 448928
2080. File
2081. Date Change
2082.  
2083. C:\Documents and Settings\admin\Application Data\Oracle\bin\libxml2.dll
2084. 208 448928
2085. File
2086. Date Change
2087.  
2088. C:\Documents and Settings\admin\Application Data\Oracle\bin\libxslt.dll
2089. 208 157600
2090. File
2091. Date Change
2092.  
2093. C:\Documents and Settings\admin\Application Data\Oracle\bin\libxslt.dll
2094. 208 157600
2095. File
2096. Date Change
2097.  
2098. C:\Documents and Settings\admin\Application Data\Oracle\bin\management.dll
2099. 208 31136
2100. File
2101. Date Change
2102.  
2103. C:\Documents and Settings\admin\Application Data\Oracle\bin\management.dll
2104. 208 31136
2105. File
2106. Date Change
2107.  
2108. C:\Documents and Settings\admin\Application Data\Oracle\bin\mlib_image.dll
2109. 208 573344
2110. File
2111. Date Change
2112.  
2113. C:\Documents and Settings\admin\Application Data\Oracle\bin\mlib_image.dll
2114. 208 573344
2115. File
2116. Date Change
2117.  
2118. C:\Documents and Settings\admin\Application Data\Oracle\bin\msvcr100.dll
2119. 208 770384
2120. File
2121. Date Change
2122.  
2123. C:\Documents and Settings\admin\Application Data\Oracle\bin\msvcr100.dll
2124. 208 770384
2125. File
2126. Date Change
2127.  
2128. C:\Documents and Settings\admin\Application Data\Oracle\bin\net.dll
2129. 208 74656
2130. File
2131. Date Change
2132.  
2133. C:\Documents and Settings\admin\Application Data\Oracle\bin\net.dll
2134. 208 74656
2135. File
2136. Date Change
2137.  
2138. C:\Documents and Settings\admin\Application Data\Oracle\bin\nio.dll
2139. 208 49056
2140. File
2141. Date Change
2142.  
2143. C:\Documents and Settings\admin\Application Data\Oracle\bin\nio.dll
2144. 208 49056
2145. File
2146. Date Change
2147.  
2148. C:\Documents and Settings\admin\Application Data\Oracle\bin\npjpi170_13.dll
2149. 208 202656
2150. File
2151. Date Change
2152.  
2153. C:\Documents and Settings\admin\Application Data\Oracle\bin\npjpi170_13.dll
2154. 208 202656
2155. File
2156. Date Change
2157.  
2158. C:\Documents and Settings\admin\Application Data\Oracle\bin\npoji610.dll
2159. 208 200096
2160. File
2161. Date Change
2162.  
2163. C:\Documents and Settings\admin\Application Data\Oracle\bin\npoji610.dll
2164. 208 200096
2165. File
2166. Date Change
2167.  
2168. C:\Documents and Settings\admin\Application Data\Oracle\bin\npt.dll
2169. 208 17312
2170. File
2171. Date Change
2172.  
2173. C:\Documents and Settings\admin\Application Data\Oracle\bin\npt.dll
2174. 208 17312
2175. File
2176. Date Change
2177.  
2178. C:\Documents and Settings\admin\Application Data\Oracle\bin\orbd.exe
2179. 208 15776
2180. File
2181. Date Change
2182.  
2183. C:\Documents and Settings\admin\Application Data\Oracle\bin\orbd.exe
2184. 208 15776
2185. File
2186. Date Change
2187.  
2188. C:\Documents and Settings\admin\Application Data\Oracle\bin\pack200.exe
2189. 208 15264
2190. File
2191. Date Change
2192.  
2193. C:\Documents and Settings\admin\Application Data\Oracle\bin\pack200.exe
2194. 208 15264
2195. File
2196. Date Change
2197.  
2198. C:\Documents and Settings\admin\Application Data\Oracle\bin\policytool.exe
2199. 208 15264
2200. File
2201. Date Change
2202.  
2203. C:\Documents and Settings\admin\Application Data\Oracle\bin\policytool.exe
2204. 208 15264
2205. File
2206. Date Change
2207.  
2208. C:\Documents and Settings\admin\Application Data\Oracle\bin\prism-d3d.dll
2209. 208 45472
2210. File
2211. Date Change
2212.  
2213. C:\Documents and Settings\admin\Application Data\Oracle\bin\prism-d3d.dll
2214. 208 45472
2215. File
2216. Date Change
2217.  
2218. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmi.dll
2219. 208 13216
2220. File
2221. Date Change
2222.  
2223. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmi.dll
2224. 208 13216
2225. File
2226. Date Change
2227.  
2228. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmid.exe
2229. 208 15264
2230. File
2231. Date Change
2232.  
2233. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmid.exe
2234. 208 15264
2235. File
2236. Date Change
2237.  
2238. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmiregistry.exe
2239. 208 15264
2240. File
2241. Date Change
2242.  
2243. C:\Documents and Settings\admin\Application Data\Oracle\bin\rmiregistry.exe
2244. 208 15264
2245. File
2246. Date Change
2247.  
2248. C:\Documents and Settings\admin\Application Data\Oracle\bin\servertool.exe
2249. 208 15264
2250. File
2251. Date Change
2252.  
2253. C:\Documents and Settings\admin\Application Data\Oracle\bin\servertool.exe
2254. 208 15264
2255. File
2256. Date Change
2257.  
2258. C:\Documents and Settings\admin\Application Data\Oracle\bin\splashscreen.dll
2259. 208 196000
2260. File
2261. Date Change
2262.  
2263. C:\Documents and Settings\admin\Application Data\Oracle\bin\splashscreen.dll
2264. 208 196000
2265. File
2266. Date Change
2267.  
2268. C:\Documents and Settings\admin\Application Data\Oracle\bin\ssv.dll
2269. 208 461216
2270. File
2271. Date Change
2272.  
2273. C:\Documents and Settings\admin\Application Data\Oracle\bin\ssv.dll
2274. 208 461216
2275. File
2276. Date Change
2277.  
2278. C:\Documents and Settings\admin\Application Data\Oracle\bin\ssvagent.exe
2279. 208 48032
2280. File
2281. Date Change
2282.  
2283. C:\Documents and Settings\admin\Application Data\Oracle\bin\ssvagent.exe
2284. 208 48032
2285. File
2286. Date Change
2287.  
2288. C:\Documents and Settings\admin\Application Data\Oracle\bin\sunec.dll
2289. 208 123296
2290. File
2291. Date Change
2292.  
2293. C:\Documents and Settings\admin\Application Data\Oracle\bin\sunec.dll
2294. 208 123296
2295. File
2296. Date Change
2297.  
2298. C:\Documents and Settings\admin\Application Data\Oracle\bin\sunmscapi.dll
2299. 208 24992
2300. File
2301. Date Change
2302.  
2303. C:\Documents and Settings\admin\Application Data\Oracle\bin\sunmscapi.dll
2304. 208 24992
2305. File
2306. Date Change
2307.  
2308. C:\Documents and Settings\admin\Application Data\Oracle\bin\t2k.dll
2309. 208 192928
2310. File
2311. Date Change
2312.  
2313. C:\Documents and Settings\admin\Application Data\Oracle\bin\t2k.dll
2314. 208 192928
2315. File
2316. Date Change
2317.  
2318. C:\Documents and Settings\admin\Application Data\Oracle\bin\tnameserv.exe
2319. 208 15776
2320. File
2321. Date Change
2322.  
2323. C:\Documents and Settings\admin\Application Data\Oracle\bin\tnameserv.exe
2324. 208 15776
2325. File
2326. Date Change
2327.  
2328. C:\Documents and Settings\admin\Application Data\Oracle\bin\unpack.dll
2329. 208 57760
2330. File
2331. Date Change
2332.  
2333. C:\Documents and Settings\admin\Application Data\Oracle\bin\unpack.dll
2334. 208 57760
2335. File
2336. Date Change
2337.  
2338. C:\Documents and Settings\admin\Application Data\Oracle\bin\unpack200.exe
2339. 208 145824
2340. File
2341. Date Change
2342.  
2343. C:\Documents and Settings\admin\Application Data\Oracle\bin\unpack200.exe
2344. 208 145824
2345. File
2346. Date Change
2347.  
2348. C:\Documents and Settings\admin\Application Data\Oracle\bin\verify.dll
2349. 208 39328
2350. File
2351. Date Change
2352.  
2353. C:\Documents and Settings\admin\Application Data\Oracle\bin\verify.dll
2354. 208 39328
2355. File
2356. Date Change
2357.  
2358. C:\Documents and Settings\admin\Application Data\Oracle\bin\w2k_lsa_auth.dll
2359. 208 20896
2360. File
2361. Date Change
2362.  
2363. C:\Documents and Settings\admin\Application Data\Oracle\bin\w2k_lsa_auth.dll
2364. 208 20896
2365. File
2366. Date Change
2367.  
2368. C:\Documents and Settings\admin\Application Data\Oracle\bin\WindowsAccessBridge.dll
2369. 208 94112
2370. File
2371. Date Change
2372.  
2373. C:\Documents and Settings\admin\Application Data\Oracle\bin\WindowsAccessBridge.dll
2374. 208 94112
2375. File
2376. Date Change
2377.  
2378. C:\Documents and Settings\admin\Application Data\Oracle\bin\wsdetect.dll
2379. 208 138144
2380. File
2381. Date Change
2382.  
2383. C:\Documents and Settings\admin\Application Data\Oracle\bin\wsdetect.dll
2384. 208 138144
2385. File
2386. Date Change
2387.  
2388. C:\Documents and Settings\admin\Application Data\Oracle\bin\zip.dll
2389. 208 66464
2390. File
2391. Date Change
2392.  
2393. C:\Documents and Settings\admin\Application Data\Oracle\bin\zip.dll
2394. 208 66464
2395. Folder
2396. Date Change
2397.  
2398. C:\Documents and Settings\admin\Application Data\Oracle\bin\client
2399. 208
2400. File
2401. Date Change
2402.  
2403. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\classes.jsa
2404. 208 14090240
2405. File
2406. Date Change
2407.  
2408. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\classes.jsa
2409. 208 14090240
2410. File
2411. Date Change
2412.  
2413. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\jvm.dll
2414. 208 3368864
2415. File
2416. Date Change
2417.  
2418. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\jvm.dll
2419. 208 3368864
2420. File
2421. Date Change
2422.  
2423. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\Xusage.txt
2424. 208 1447
2425. File
2426. Date Change
2427.  
2428. C:\Documents and Settings\admin\Application Data\Oracle\bin\client\Xusage.txt
2429. 208 1447
2430. Folder
2431. Date Change
2432.  
2433. C:\Documents and Settings\admin\Application Data\Oracle\bin\dtplugin
2434. 208
2435. File
2436. Date Change
2437.  
2438. C:\Documents and Settings\admin\Application Data\Oracle\bin\dtplugin\deployJava1.dll
2439. 208 782240
2440. File
2441. Date Change
2442.  
2443. C:\Documents and Settings\admin\Application Data\Oracle\bin\dtplugin\deployJava1.dll
2444. 208 782240
2445. File
2446. Date Change
2447.  
2448. C:\Documents and Settings\admin\Application Data\Oracle\bin\dtplugin\npdeployJava1.dll
2449. 208 861088
2450. File
2451. Date Change
2452.  
2453. C:\Documents and Settings\admin\Application Data\Oracle\bin\dtplugin\npdeployJava1.dll
2454. 208 861088
2455. Folder
2456. Date Change
2457.  
2458. C:\Documents and Settings\admin\Application Data\Oracle\bin\plugin2
2459. 208
2460. File
2461. Date Change
2462.  
2463. C:\Documents and Settings\admin\Application Data\Oracle\bin\plugin2\msvcr100.dll
2464. 208 770384
2465. File
2466. Date Change
2467.  
2468. C:\Documents and Settings\admin\Application Data\Oracle\bin\plugin2\msvcr100.dll
2469. 208 770384
2470. File
2471. Date Change
2472.  
2473. C:\Documents and Settings\admin\Application Data\Oracle\bin\plugin2\npjp2.dll
2474. 208 156064
2475. File
2476. Date Change
2477.  
2478. C:\Documents and Settings\admin\Application Data\Oracle\bin\plugin2\npjp2.dll
2479. 208 156064
2480. Folder
2481. Date Change
2482.  
2483. C:\Documents and Settings\admin\Application Data\Oracle\lib
2484. 208
2485. File
2486. Date Change
2487.  
2488. C:\Documents and Settings\admin\Application Data\Oracle\lib\accessibility.properties
2489. 208 153
2490. File
2491. Date Change
2492.  
2493. C:\Documents and Settings\admin\Application Data\Oracle\lib\accessibility.properties
2494. 208 153
2495. File
2496. Date Change
2497.  
2498. C:\Documents and Settings\admin\Application Data\Oracle\lib\alt-rt.jar
2499. 208 123547
2500. File
2501. Date Change
2502.  
2503. C:\Documents and Settings\admin\Application Data\Oracle\lib\alt-rt.jar
2504. 208 123547
2505. File
2506. Date Change
2507.  
2508. C:\Documents and Settings\admin\Application Data\Oracle\lib\calendars.properties
2509. 208 1232
2510. File
2511. Date Change
2512.  
2513. C:\Documents and Settings\admin\Application Data\Oracle\lib\calendars.properties
2514. 208 1232
2515. File
2516. Date Change
2517.  
2518. C:\Documents and Settings\admin\Application Data\Oracle\lib\charsets.jar
2519. 208 3510791
2520. File
2521. Date Change
2522.  
2523. C:\Documents and Settings\admin\Application Data\Oracle\lib\charsets.jar
2524. 208 3510791
2525. File
2526. Date Change
2527.  
2528. C:\Documents and Settings\admin\Application Data\Oracle\lib\classlist
2529. 208 75075
2530. File
2531. Date Change
2532.  
2533. C:\Documents and Settings\admin\Application Data\Oracle\lib\classlist
2534. 208 75075
2535. File
2536. Date Change
2537.  
2538. C:\Documents and Settings\admin\Application Data\Oracle\lib\content-types.properties
2539. 208 5483
2540. File
2541. Date Change
2542.  
2543. C:\Documents and Settings\admin\Application Data\Oracle\lib\content-types.properties
2544. 208 5483
2545. File
2546. Date Change
2547.  
2548. C:\Documents and Settings\admin\Application Data\Oracle\lib\currency.data
2549. 208 4200
2550. File
2551. Date Change
2552.  
2553. C:\Documents and Settings\admin\Application Data\Oracle\lib\currency.data
2554. 208 4200
2555. File
2556. Date Change
2557.  
2558. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy.jar
2559. 208 4064384
2560. File
2561. Date Change
2562.  
2563. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy.jar
2564. 208 4064384
2565. File
2566. Date Change
2567.  
2568. C:\Documents and Settings\admin\Application Data\Oracle\lib\flavormap.properties
2569. 208 3928
2570. File
2571. Date Change
2572.  
2573. C:\Documents and Settings\admin\Application Data\Oracle\lib\flavormap.properties
2574. 208 3928
2575. File
2576. Date Change
2577.  
2578. C:\Documents and Settings\admin\Application Data\Oracle\lib\fontconfig.bfc
2579. 208 3670
2580. File
2581. Date Change
2582.  
2583. C:\Documents and Settings\admin\Application Data\Oracle\lib\fontconfig.bfc
2584. 208 3670
2585. File
2586. Date Change
2587.  
2588. C:\Documents and Settings\admin\Application Data\Oracle\lib\fontconfig.properties.src
2589. 208 10479
2590. File
2591. Date Change
2592.  
2593. C:\Documents and Settings\admin\Application Data\Oracle\lib\fontconfig.properties.src
2594. 208 10479
2595. File
2596. Date Change
2597.  
2598. C:\Documents and Settings\admin\Application Data\Oracle\lib\javafx.properties
2599. 208 28
2600. File
2601. Date Change
2602.  
2603. C:\Documents and Settings\admin\Application Data\Oracle\lib\javafx.properties
2604. 208 28
2605. File
2606. Date Change
2607.  
2608. C:\Documents and Settings\admin\Application Data\Oracle\lib\javaws.jar
2609. 208 897652
2610. File
2611. Date Change
2612.  
2613. C:\Documents and Settings\admin\Application Data\Oracle\lib\javaws.jar
2614. 208 897652
2615. File
2616. Date Change
2617.  
2618. C:\Documents and Settings\admin\Application Data\Oracle\lib\jce.jar
2619. 208 109196
2620. File
2621. Date Change
2622.  
2623. C:\Documents and Settings\admin\Application Data\Oracle\lib\jce.jar
2624. 208 109196
2625. File
2626. Date Change
2627.  
2628. C:\Documents and Settings\admin\Application Data\Oracle\lib\jfr.jar
2629. 208 462133
2630. File
2631. Date Change
2632.  
2633. C:\Documents and Settings\admin\Application Data\Oracle\lib\jfr.jar
2634. 208 462133
2635. File
2636. Date Change
2637.  
2638. C:\Documents and Settings\admin\Application Data\Oracle\lib\jfxrt.jar
2639. 208 15085396
2640. File
2641. Date Change
2642.  
2643. C:\Documents and Settings\admin\Application Data\Oracle\lib\jfxrt.jar
2644. 208 15085396
2645. File
2646. Date Change
2647.  
2648. C:\Documents and Settings\admin\Application Data\Oracle\lib\jsse.jar
2649. 208 523751
2650. File
2651. Date Change
2652.  
2653. C:\Documents and Settings\admin\Application Data\Oracle\lib\jsse.jar
2654. 208 523751
2655. File
2656. Date Change
2657.  
2658. C:\Documents and Settings\admin\Application Data\Oracle\lib\jvm.hprof.txt
2659. 208 4226
2660. File
2661. Date Change
2662.  
2663. C:\Documents and Settings\admin\Application Data\Oracle\lib\jvm.hprof.txt
2664. 208 4226
2665. File
2666. Date Change
2667.  
2668. C:\Documents and Settings\admin\Application Data\Oracle\lib\logging.properties
2669. 208 2455
2670. File
2671. Date Change
2672.  
2673. C:\Documents and Settings\admin\Application Data\Oracle\lib\logging.properties
2674. 208 2455
2675. File
2676. Date Change
2677.  
2678. C:\Documents and Settings\admin\Application Data\Oracle\lib\management-agent.jar
2679. 208 385
2680. File
2681. Date Change
2682.  
2683. C:\Documents and Settings\admin\Application Data\Oracle\lib\management-agent.jar
2684. 208 385
2685. File
2686. Date Change
2687.  
2688. C:\Documents and Settings\admin\Application Data\Oracle\lib\meta-index
2689. 208 2196
2690. File
2691. Date Change
2692.  
2693. C:\Documents and Settings\admin\Application Data\Oracle\lib\meta-index
2694. 208 2196
2695. File
2696. Date Change
2697.  
2698. C:\Documents and Settings\admin\Application Data\Oracle\lib\net.properties
2699. 208 3070
2700. File
2701. Date Change
2702.  
2703. C:\Documents and Settings\admin\Application Data\Oracle\lib\net.properties
2704. 208 3070
2705. File
2706. Date Change
2707.  
2708. C:\Documents and Settings\admin\Application Data\Oracle\lib\plugin.jar
2709. 208 1877279
2710. File
2711. Date Change
2712.  
2713. C:\Documents and Settings\admin\Application Data\Oracle\lib\plugin.jar
2714. 208 1877279
2715. File
2716. Date Change
2717.  
2718. C:\Documents and Settings\admin\Application Data\Oracle\lib\psfont.properties.ja
2719. 208 2796
2720. File
2721. Date Change
2722.  
2723. C:\Documents and Settings\admin\Application Data\Oracle\lib\psfont.properties.ja
2724. 208 2796
2725. File
2726. Date Change
2727.  
2728. C:\Documents and Settings\admin\Application Data\Oracle\lib\psfontj2d.properties
2729. 208 10393
2730. File
2731. Date Change
2732.  
2733. C:\Documents and Settings\admin\Application Data\Oracle\lib\psfontj2d.properties
2734. 208 10393
2735. File
2736. Date Change
2737.  
2738. C:\Documents and Settings\admin\Application Data\Oracle\lib\resources.jar
2739. 208 2466336
2740. File
2741. Date Change
2742.  
2743. C:\Documents and Settings\admin\Application Data\Oracle\lib\resources.jar
2744. 208 2466336
2745. File
2746. Date Change
2747.  
2748. C:\Documents and Settings\admin\Application Data\Oracle\lib\rt.jar
2749. 208 51668132
2750. File
2751. Date Change
2752.  
2753. C:\Documents and Settings\admin\Application Data\Oracle\lib\rt.jar
2754. 208 51668132
2755. File
2756. Date Change
2757.  
2758. C:\Documents and Settings\admin\Application Data\Oracle\lib\sound.properties
2759. 208 1210
2760. File
2761. Date Change
2762.  
2763. C:\Documents and Settings\admin\Application Data\Oracle\lib\sound.properties
2764. 208 1210
2765. File
2766. Date Change
2767.  
2768. C:\Documents and Settings\admin\Application Data\Oracle\lib\tzmappings
2769. 208 8138
2770. File
2771. Date Change
2772.  
2773. C:\Documents and Settings\admin\Application Data\Oracle\lib\tzmappings
2774. 208 8138
2775. Folder
2776. Date Change
2777.  
2778. C:\Documents and Settings\admin\Application Data\Oracle\lib\applet
2779. 208
2780. Folder
2781. Date Change
2782.  
2783. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm
2784. 208
2785. File
2786. Date Change
2787.  
2788. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\CIEXYZ.pf
2789. 208 51236
2790. File
2791. Date Change
2792.  
2793. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\CIEXYZ.pf
2794. 208 51236
2795. File
2796. Date Change
2797.  
2798. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\GRAY.pf
2799. 208 632
2800. File
2801. Date Change
2802.  
2803. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\GRAY.pf
2804. 208 632
2805. File
2806. Date Change
2807.  
2808. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\LINEAR_RGB.pf
2809. 208 1044
2810. File
2811. Date Change
2812.  
2813. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\LINEAR_RGB.pf
2814. 208 1044
2815. File
2816. Date Change
2817.  
2818. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\PYCC.pf
2819. 208 274474
2820. File
2821. Date Change
2822.  
2823. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\PYCC.pf
2824. 208 274474
2825. File
2826. Date Change
2827.  
2828. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\sRGB.pf
2829. 208 3144
2830. File
2831. Date Change
2832.  
2833. C:\Documents and Settings\admin\Application Data\Oracle\lib\cmm\sRGB.pf
2834. 208 3144
2835. Folder
2836. Date Change
2837.  
2838. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy
2839. 208
2840. File
2841. Date Change
2842.  
2843. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\ffjcext.zip
2844. 208 18675
2845. File
2846. Date Change
2847.  
2848. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\ffjcext.zip
2849. 208 18675
2850. File
2851. Date Change
2852.  
2853. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages.properties
2854. 208 2860
2855. File
2856. Date Change
2857.  
2858. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages.properties
2859. 208 2860
2860. File
2861. Date Change
2862.  
2863. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_de.properties
2864. 208 3307
2865. File
2866. Date Change
2867.  
2868. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_de.properties
2869. 208 3307
2870. File
2871. Date Change
2872.  
2873. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_es.properties
2874. 208 3600
2875. File
2876. Date Change
2877.  
2878. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_es.properties
2879. 208 3600
2880. File
2881. Date Change
2882.  
2883. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_fr.properties
2884. 208 3409
2885. File
2886. Date Change
2887.  
2888. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_fr.properties
2889. 208 3409
2890. File
2891. Date Change
2892.  
2893. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_it.properties
2894. 208 3223
2895. File
2896. Date Change
2897.  
2898. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_it.properties
2899. 208 3223
2900. File
2901. Date Change
2902.  
2903. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_ja.properties
2904. 208 6349
2905. File
2906. Date Change
2907.  
2908. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_ja.properties
2909. 208 6349
2910. File
2911. Date Change
2912.  
2913. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_ko.properties
2914. 208 5719
2915. File
2916. Date Change
2917.  
2918. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_ko.properties
2919. 208 5719
2920. File
2921. Date Change
2922.  
2923. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_pt_BR.properties
2924. 208 3348
2925. File
2926. Date Change
2927.  
2928. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_pt_BR.properties
2929. 208 3348
2930. File
2931. Date Change
2932.  
2933. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_sv.properties
2934. 208 3409
2935. File
2936. Date Change
2937.  
2938. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_sv.properties
2939. 208 3409
2940. File
2941. Date Change
2942.  
2943. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_CN.properties
2944. 208 4084
2945. File
2946. Date Change
2947.  
2948. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_CN.properties
2949. 208 4084
2950. File
2951. Date Change
2952.  
2953. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_HK.properties
2954. 208 3752
2955. File
2956. Date Change
2957.  
2958. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_HK.properties
2959. 208 3752
2960. File
2961. Date Change
2962.  
2963. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_TW.properties
2964. 208 3752
2965. File
2966. Date Change
2967.  
2968. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\messages_zh_TW.properties
2969. 208 3752
2970. File
2971. Date Change
2972.  
2973. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\splash.gif
2974. 208 13959
2975. File
2976. Date Change
2977.  
2978. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\splash.gif
2979. 208 13959
2980. Folder
2981. Date Change
2982.  
2983. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\jqs
2984. 208
2985. File
2986. Date Change
2987.  
2988. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\jqs\jqs.conf
2989. 208 40814
2990. File
2991. Date Change
2992.  
2993. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\jqs\jqs.conf
2994. 208 40814
2995. File
2996. Date Change
2997.  
2998. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\jqs\jqsmessages.properties
2999. 208 1720
3000. File
3001. Date Change
3002.  
3003. C:\Documents and Settings\admin\Application Data\Oracle\lib\deploy\jqs\jqsmessages.properties
3004. 208 1720
3005. Folder
3006. Date Change
3007.  
3008. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext
3009. 208
3010. File
3011. Date Change
3012.  
3013. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\access-bridge.jar
3014. 208 49165
3015. File
3016. Date Change
3017.  
3018. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\access-bridge.jar
3019. 208 49165
3020. File
3021. Date Change
3022.  
3023. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\dnsns.jar
3024. 208 8934
3025. File
3026. Date Change
3027.  
3028. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\dnsns.jar
3029. 208 8934
3030. File
3031. Date Change
3032.  
3033. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\jaccess.jar
3034. 208 43504
3035. File
3036. Date Change
3037.  
3038. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\jaccess.jar
3039. 208 43504
3040. File
3041. Date Change
3042.  
3043. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\localedata.jar
3044. 208 1013521
3045. File
3046. Date Change
3047.  
3048. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\localedata.jar
3049. 208 1013521
3050. File
3051. Date Change
3052.  
3053. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\meta-index
3054. 208 829
3055. File
3056. Date Change
3057.  
3058. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\meta-index
3059. 208 829
3060. File
3061. Date Change
3062.  
3063. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\QTJava.zip
3064. 208 935850
3065. File
3066. Date Change
3067.  
3068. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\QTJava.zip
3069. 208 935850
3070. File
3071. Date Change
3072.  
3073. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunec.jar
3074. 208 15943
3075. File
3076. Date Change
3077.  
3078. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunec.jar
3079. 208 15943
3080. File
3081. Date Change
3082.  
3083. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunjce_provider.jar
3084. 208 198317
3085. File
3086. Date Change
3087.  
3088. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunjce_provider.jar
3089. 208 198317
3090. File
3091. Date Change
3092.  
3093. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunmscapi.jar
3094. 208 30695
3095. File
3096. Date Change
3097.  
3098. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunmscapi.jar
3099. 208 30695
3100. File
3101. Date Change
3102.  
3103. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunpkcs11.jar
3104. 208 238303
3105. File
3106. Date Change
3107.  
3108. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\sunpkcs11.jar
3109. 208 238303
3110. File
3111. Date Change
3112.  
3113. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\zipfs.jar
3114. 208 68653
3115. File
3116. Date Change
3117.  
3118. C:\Documents and Settings\admin\Application Data\Oracle\lib\ext\zipfs.jar
3119. 208 68653
3120. Folder
3121. Date Change
3122.  
3123. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts
3124. 208
3125. File
3126. Date Change
3127.  
3128. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightDemiBold.ttf
3129. 208 75144
3130. File
3131. Date Change
3132.  
3133. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightDemiBold.ttf
3134. 208 75144
3135. File
3136. Date Change
3137.  
3138. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightDemiItalic.ttf
3139. 208 75124
3140. File
3141. Date Change
3142.  
3143. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightDemiItalic.ttf
3144. 208 75124
3145. File
3146. Date Change
3147.  
3148. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightItalic.ttf
3149. 208 80856
3150. File
3151. Date Change
3152.  
3153. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightItalic.ttf
3154. 208 80856
3155. File
3156. Date Change
3157.  
3158. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightRegular.ttf
3159. 208 344908
3160. File
3161. Date Change
3162.  
3163. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaBrightRegular.ttf
3164. 208 344908
3165. File
3166. Date Change
3167.  
3168. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaSansDemiBold.ttf
3169. 208 317896
3170. File
3171. Date Change
3172.  
3173. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaSansDemiBold.ttf
3174. 208 317896
3175. File
3176. Date Change
3177.  
3178. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaSansRegular.ttf
3179. 208 698236
3180. File
3181. Date Change
3182.  
3183. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaSansRegular.ttf
3184. 208 698236
3185. File
3186. Date Change
3187.  
3188. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaTypewriterBold.ttf
3189. 208 234068
3190. File
3191. Date Change
3192.  
3193. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaTypewriterBold.ttf
3194. 208 234068
3195. File
3196. Date Change
3197.  
3198. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaTypewriterRegular.ttf
3199. 208 242700
3200. File
3201. Date Change
3202.  
3203. C:\Documents and Settings\admin\Application Data\Oracle\lib\fonts\LucidaTypewriterRegular.ttf
3204. 208 242700
3205. Folder
3206. Date Change
3207.  
3208. C:\Documents and Settings\admin\Application Data\Oracle\lib\i386
3209. 208
3210. File
3211. Date Change
3212.  
3213. C:\Documents and Settings\admin\Application Data\Oracle\lib\i386\jvm.cfg
3214. 208 686
3215. File
3216. Date Change
3217.  
3218. C:\Documents and Settings\admin\Application Data\Oracle\lib\i386\jvm.cfg
3219. 208 686
3220. Folder
3221. Date Change
3222.  
3223. C:\Documents and Settings\admin\Application Data\Oracle\lib\images
3224. 208
3225. Folder
3226. Date Change
3227.  
3228. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors
3229. 208
3230. File
3231. Date Change
3232.  
3233. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\cursors.properties
3234. 208 1280
3235. File
3236. Date Change
3237.  
3238. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\cursors.properties
3239. 208 1280
3240. File
3241. Date Change
3242.  
3243. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\invalid32x32.gif
3244. 208 153
3245. File
3246. Date Change
3247.  
3248. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\invalid32x32.gif
3249. 208 153
3250. File
3251. Date Change
3252.  
3253. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
3254. 208 165
3255. File
3256. Date Change
3257.  
3258. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
3259. 208 165
3260. File
3261. Date Change
3262.  
3263. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
3264. 208 153
3265. File
3266. Date Change
3267.  
3268. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
3269. 208 153
3270. File
3271. Date Change
3272.  
3273. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
3274. 208 168
3275. File
3276. Date Change
3277.  
3278. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
3279. 208 168
3280. File
3281. Date Change
3282.  
3283. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
3284. 208 153
3285. File
3286. Date Change
3287.  
3288. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
3289. 208 153
3290. File
3291. Date Change
3292.  
3293. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
3294. 208 147
3295. File
3296. Date Change
3297.  
3298. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
3299. 208 147
3300. File
3301. Date Change
3302.  
3303. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
3304. 208 153
3305. File
3306. Date Change
3307.  
3308. C:\Documents and Settings\admin\Application Data\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
3309. 208 153
3310. Folder
3311. Date Change
3312.  
3313. C:\Documents and Settings\admin\Application Data\Oracle\lib\management
3314. 208
3315. File
3316. Date Change
3317.  
3318. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\jmxremote.access
3319. 208 3998
3320. File
3321. Date Change
3322.  
3323. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\jmxremote.access
3324. 208 3998
3325. File
3326. Date Change
3327.  
3328. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\jmxremote.password.template
3329. 208 2856
3330. File
3331. Date Change
3332.  
3333. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\jmxremote.password.template
3334. 208 2856
3335. File
3336. Date Change
3337.  
3338. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\management.properties
3339. 208 14097
3340. File
3341. Date Change
3342.  
3343. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\management.properties
3344. 208 14097
3345. File
3346. Date Change
3347.  
3348. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\snmp.acl.template
3349. 208 3376
3350. File
3351. Date Change
3352.  
3353. C:\Documents and Settings\admin\Application Data\Oracle\lib\management\snmp.acl.template
3354. 208 3376
3355. Folder
3356. Date Change
3357.  
3358. C:\Documents and Settings\admin\Application Data\Oracle\lib\security
3359. 208
3360. File
3361. Date Change
3362.  
3363. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\blacklist
3364. 208 2177
3365. File
3366. Date Change
3367.  
3368. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\blacklist
3369. 208 2177
3370. File
3371. Date Change
3372.  
3373. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\cacerts
3374. 208 83581
3375. File
3376. Date Change
3377.  
3378. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\cacerts
3379. 208 83581
3380. File
3381. Date Change
3382.  
3383. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\java.policy
3384. 208 2254
3385. File
3386. Date Change
3387.  
3388. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\java.policy
3389. 208 2254
3390. File
3391. Date Change
3392.  
3393. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\java.security
3394. 208 15894
3395. File
3396. Date Change
3397.  
3398. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\java.security
3399. 208 15894
3400. File
3401. Date Change
3402.  
3403. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\javafx.policy
3404. 208 158
3405. File
3406. Date Change
3407.  
3408. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\javafx.policy
3409. 208 158
3410. File
3411. Date Change
3412.  
3413. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\javaws.policy
3414. 208 98
3415. File
3416. Date Change
3417.  
3418. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\javaws.policy
3419. 208 98
3420. File
3421. Date Change
3422.  
3423. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\local_policy.jar
3424. 208 2971
3425. File
3426. Date Change
3427.  
3428. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\local_policy.jar
3429. 208 2971
3430. File
3431. Date Change
3432.  
3433. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\trusted.libraries
3434. 208
3435. File
3436. Date Change
3437.  
3438. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\trusted.libraries
3439. 208
3440. File
3441. Date Change
3442.  
3443. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\US_export_policy.jar
3444. 208 2487
3445. File
3446. Date Change
3447.  
3448. C:\Documents and Settings\admin\Application Data\Oracle\lib\security\US_export_policy.jar
3449. 208 2487
3450. Folder
3451. Date Change
3452.  
3453. C:\Documents and Settings\admin\Application Data\Oracle\lib\servicetag
3454. 208
3455. File
3456. Date Change
3457.  
3458. C:\Documents and Settings\admin\Application Data\Oracle\lib\servicetag\jdk_header.png
3459. 208 8705
3460. File
3461. Date Change
3462.  
3463. C:\Documents and Settings\admin\Application Data\Oracle\lib\servicetag\jdk_header.png
3464. 208 8705
3465. File
3466. Date Change
3467.  
3468. C:\Documents and Settings\admin\Application Data\Oracle\lib\servicetag\registration.xml
3469. 208 1541
3470. File
3471. Date Change
3472.  
3473. C:\Documents and Settings\admin\Application Data\Oracle\lib\servicetag\registration.xml
3474. 208 1541
3475. Folder
3476. Date Change
3477.  
3478. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi
3479. 208
3480. File
3481. Date Change
3482.  
3483. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\CET
3484. 208 1184
3485. File
3486. Date Change
3487.  
3488. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\CET
3489. 208 1184
3490. File
3491. Date Change
3492.  
3493. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\CST6CDT
3494. 208 1272
3495. File
3496. Date Change
3497.  
3498. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\CST6CDT
3499. 208 1272
3500. File
3501. Date Change
3502.  
3503. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EET
3504. 208 1072
3505. File
3506. Date Change
3507.  
3508. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EET
3509. 208 1072
3510. File
3511. Date Change
3512.  
3513. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EST
3514. 208 27
3515. File
3516. Date Change
3517.  
3518. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EST
3519. 208 27
3520. File
3521. Date Change
3522.  
3523. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EST5EDT
3524. 208 1272
3525. File
3526. Date Change
3527.  
3528. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\EST5EDT
3529. 208 1272
3530. File
3531. Date Change
3532.  
3533. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\GMT
3534. 208 27
3535. File
3536. Date Change
3537.  
3538. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\GMT
3539. 208 27
3540. File
3541. Date Change
3542.  
3543. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\HST
3544. 208 27
3545. File
3546. Date Change
3547.  
3548. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\HST
3549. 208 27
3550. File
3551. Date Change
3552.  
3553. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MET
3554. 208 1184
3555. File
3556. Date Change
3557.  
3558. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MET
3559. 208 1184
3560. File
3561. Date Change
3562.  
3563. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MST
3564. 208 27
3565. File
3566. Date Change
3567.  
3568. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MST
3569. 208 27
3570. File
3571. Date Change
3572.  
3573. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MST7MDT
3574. 208 1272
3575. File
3576. Date Change
3577.  
3578. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\MST7MDT
3579. 208 1272
3580. File
3581. Date Change
3582.  
3583. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\PST8PDT
3584. 208 1272
3585. File
3586. Date Change
3587.  
3588. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\PST8PDT
3589. 208 1272
3590. File
3591. Date Change
3592.  
3593. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\WET
3594. 208 1068
3595. File
3596. Date Change
3597.  
3598. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\WET
3599. 208 1068
3600. File
3601. Date Change
3602.  
3603. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\ZoneInfoMappings
3604. 208 14659
3605. File
3606. Date Change
3607.  
3608. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\ZoneInfoMappings
3609. 208 14659
3610. Folder
3611. Date Change
3612.  
3613. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa
3614. 208
3615. File
3616. Date Change
3617.  
3618. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Abidjan
3619. 208 65
3620. File
3621. Date Change
3622.  
3623. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Abidjan
3624. 208 65
3625. File
3626. Date Change
3627.  
3628. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Accra
3629. 208 181
3630. File
3631. Date Change
3632.  
3633. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Accra
3634. 208 181
3635. File
3636. Date Change
3637.  
3638. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Addis_Ababa
3639. 208 65
3640. File
3641. Date Change
3642.  
3643. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Addis_Ababa
3644. 208 65
3645. File
3646. Date Change
3647.  
3648. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Algiers
3649. 208 333
3650. File
3651. Date Change
3652.  
3653. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Algiers
3654. 208 333
3655. File
3656. Date Change
3657.  
3658. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Asmara
3659. 208 65
3660. File
3661. Date Change
3662.  
3663. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Asmara
3664. 208 65
3665. File
3666. Date Change
3667.  
3668. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bamako
3669. 208 85
3670. File
3671. Date Change
3672.  
3673. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bamako
3674. 208 85
3675. File
3676. Date Change
3677.  
3678. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bangui
3679. 208 65
3680. File
3681. Date Change
3682.  
3683. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bangui
3684. 208 65
3685. File
3686. Date Change
3687.  
3688. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Banjul
3689. 208 77
3690. File
3691. Date Change
3692.  
3693. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Banjul
3694. 208 77
3695. File
3696. Date Change
3697.  
3698. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bissau
3699. 208 77
3700. File
3701. Date Change
3702.  
3703. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bissau
3704. 208 77
3705. File
3706. Date Change
3707.  
3708. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Blantyre
3709. 208 65
3710. File
3711. Date Change
3712.  
3713. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Blantyre
3714. 208 65
3715. File
3716. Date Change
3717.  
3718. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Brazzaville
3719. 208 65
3720. File
3721. Date Change
3722.  
3723. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Brazzaville
3724. 208 65
3725. File
3726. Date Change
3727.  
3728. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bujumbura
3729. 208 27
3730. File
3731. Date Change
3732.  
3733. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Bujumbura
3734. 208 27
3735. File
3736. Date Change
3737.  
3738. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Cairo
3739. 208 1049
3740. File
3741. Date Change
3742.  
3743. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Cairo
3744. 208 1049
3745. File
3746. Date Change
3747.  
3748. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Casablanca
3749. 208 736
3750. File
3751. Date Change
3752.  
3753. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Casablanca
3754. 208 736
3755. File
3756. Date Change
3757.  
3758. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ceuta
3759. 208 1112
3760. File
3761. Date Change
3762.  
3763. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ceuta
3764. 208 1112
3765. File
3766. Date Change
3767.  
3768. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Conakry
3769. 208 85
3770. File
3771. Date Change
3772.  
3773. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Conakry
3774. 208 85
3775. File
3776. Date Change
3777.  
3778. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Dakar
3779. 208 77
3780. File
3781. Date Change
3782.  
3783. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Dakar
3784. 208 77
3785. File
3786. Date Change
3787.  
3788. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Dar_es_Salaam
3789. 208 85
3790. File
3791. Date Change
3792.  
3793. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Dar_es_Salaam
3794. 208 85
3795. File
3796. Date Change
3797.  
3798. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Djibouti
3799. 208 65
3800. File
3801. Date Change
3802.  
3803. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Djibouti
3804. 208 65
3805. File
3806. Date Change
3807.  
3808. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Douala
3809. 208 65
3810. File
3811. Date Change
3812.  
3813. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Douala
3814. 208 65
3815. File
3816. Date Change
3817.  
3818. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\El_Aaiun
3819. 208 77
3820. File
3821. Date Change
3822.  
3823. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\El_Aaiun
3824. 208 77
3825. File
3826. Date Change
3827.  
3828. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Freetown
3829. 208 313
3830. File
3831. Date Change
3832.  
3833. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Freetown
3834. 208 313
3835. File
3836. Date Change
3837.  
3838. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Gaborone
3839. 208 77
3840. File
3841. Date Change
3842.  
3843. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Gaborone
3844. 208 77
3845. File
3846. Date Change
3847.  
3848. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Harare
3849. 208 65
3850. File
3851. Date Change
3852.  
3853. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Harare
3854. 208 65
3855. File
3856. Date Change
3857.  
3858. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Johannesburg
3859. 208 105
3860. File
3861. Date Change
3862.  
3863. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Johannesburg
3864. 208 105
3865. File
3866. Date Change
3867.  
3868. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Juba
3869. 208 337
3870. File
3871. Date Change
3872.  
3873. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Juba
3874. 208 337
3875. File
3876. Date Change
3877.  
3878. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kampala
3879. 208 97
3880. File
3881. Date Change
3882.  
3883. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kampala
3884. 208 97
3885. File
3886. Date Change
3887.  
3888. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Khartoum
3889. 208 337
3890. File
3891. Date Change
3892.  
3893. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Khartoum
3894. 208 337
3895. File
3896. Date Change
3897.  
3898. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kigali
3899. 208 65
3900. File
3901. Date Change
3902.  
3903. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kigali
3904. 208 65
3905. File
3906. Date Change
3907.  
3908. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kinshasa
3909. 208 27
3910. File
3911. Date Change
3912.  
3913. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Kinshasa
3914. 208 27
3915. File
3916. Date Change
3917.  
3918. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lagos
3919. 208 65
3920. File
3921. Date Change
3922.  
3923. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lagos
3924. 208 65
3925. File
3926. Date Change
3927.  
3928. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Libreville
3929. 208 65
3930. File
3931. Date Change
3932.  
3933. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Libreville
3934. 208 65
3935. File
3936. Date Change
3937.  
3938. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lome
3939. 208 27
3940. File
3941. Date Change
3942.  
3943. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lome
3944. 208 27
3945. File
3946. Date Change
3947.  
3948. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Luanda
3949. 208 65
3950. File
3951. Date Change
3952.  
3953. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Luanda
3954. 208 65
3955. File
3956. Date Change
3957.  
3958. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lubumbashi
3959. 208 27
3960. File
3961. Date Change
3962.  
3963. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lubumbashi
3964. 208 27
3965. File
3966. Date Change
3967.  
3968. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lusaka
3969. 208 65
3970. File
3971. Date Change
3972.  
3973. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Lusaka
3974. 208 65
3975. File
3976. Date Change
3977.  
3978. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Malabo
3979. 208 77
3980. File
3981. Date Change
3982.  
3983. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Malabo
3984. 208 77
3985. File
3986. Date Change
3987.  
3988. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Maputo
3989. 208 65
3990. File
3991. Date Change
3992.  
3993. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Maputo
3994. 208 65
3995. File
3996. Date Change
3997.  
3998. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Maseru
3999. 208 89
4000. File
4001. Date Change
4002.  
4003. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Maseru
4004. 208 89
4005. File
4006. Date Change
4007.  
4008. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Mbabane
4009. 208 65
4010. File
4011. Date Change
4012.  
4013. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Mbabane
4014. 208 65
4015. File
4016. Date Change
4017.  
4018. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Mogadishu
4019. 208 73
4020. File
4021. Date Change
4022.  
4023. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Mogadishu
4024. 208 73
4025. File
4026. Date Change
4027.  
4028. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Monrovia
4029. 208 77
4030. File
4031. Date Change
4032.  
4033. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Monrovia
4034. 208 77
4035. File
4036. Date Change
4037.  
4038. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Nairobi
4039. 208 97
4040. File
4041. Date Change
4042.  
4043. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Nairobi
4044. 208 97
4045. File
4046. Date Change
4047.  
4048. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ndjamena
4049. 208 89
4050. File
4051. Date Change
4052.  
4053. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ndjamena
4054. 208 89
4055. File
4056. Date Change
4057.  
4058. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Niamey
4059. 208 89
4060. File
4061. Date Change
4062.  
4063. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Niamey
4064. 208 89
4065. File
4066. Date Change
4067.  
4068. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Nouakchott
4069. 208 85
4070. File
4071. Date Change
4072.  
4073. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Nouakchott
4074. 208 85
4075. File
4076. Date Change
4077.  
4078. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ouagadougou
4079. 208 65
4080. File
4081. Date Change
4082.  
4083. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Ouagadougou
4084. 208 65
4085. File
4086. Date Change
4087.  
4088. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Porto-Novo
4089. 208 77
4090. File
4091. Date Change
4092.  
4093. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Porto-Novo
4094. 208 77
4095. File
4096. Date Change
4097.  
4098. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Sao_Tome
4099. 208 65
4100. File
4101. Date Change
4102.  
4103. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Sao_Tome
4104. 208 65
4105. File
4106. Date Change
4107.  
4108. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Tripoli
4109. 208 293
4110. File
4111. Date Change
4112.  
4113. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Tripoli
4114. 208 293
4115. File
4116. Date Change
4117.  
4118. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Tunis
4119. 208 329
4120. File
4121. Date Change
4122.  
4123. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Tunis
4124. 208 329
4125. File
4126. Date Change
4127.  
4128. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Windhoek
4129. 208 824
4130. File
4131. Date Change
4132.  
4133. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\Africa\Windhoek
4134. 208 824
4135. Folder
4136. Date Change
4137.  
4138. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America
4139. 208
4140. File
4141. Date Change
4142.  
4143. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Adak
4144. 208 1224
4145. File
4146. Date Change
4147.  
4148. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Adak
4149. 208 1224
4150. File
4151. Date Change
4152.  
4153. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Anchorage
4154. 208 1224
4155. File
4156. Date Change
4157.  
4158. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Anchorage
4159. 208 1224
4160. File
4161. Date Change
4162.  
4163. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Anguilla
4164. 208 65
4165. File
4166. Date Change
4167.  
4168. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Anguilla
4169. 208 65
4170. File
4171. Date Change
4172.  
4173. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Antigua
4174. 208 77
4175. File
4176. Date Change
4177.  
4178. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Antigua
4179. 208 77
4180. File
4181. Date Change
4182.  
4183. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Araguaina
4184. 208 892
4185. File
4186. Date Change
4187.  
4188. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Araguaina
4189. 208 892
4190. File
4191. Date Change
4192.  
4193. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Aruba
4194. 208 77
4195. File
4196. Date Change
4197.  
4198. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Aruba
4199. 208 77
4200. File
4201. Date Change
4202.  
4203. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Asuncion
4204. 208 1116
4205. File
4206. Date Change
4207.  
4208. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Asuncion
4209. 208 1116
4210. File
4211. Date Change
4212.  
4213. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Atikokan
4214. 208 93
4215. File
4216. Date Change
4217.  
4218. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Atikokan
4219. 208 93
4220. File
4221. Date Change
4222.  
4223. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bahia
4224. 208 553
4225. File
4226. Date Change
4227.  
4228. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bahia
4229. 208 553
4230. File
4231. Date Change
4232.  
4233. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bahia_Banderas
4234. 208 844
4235. File
4236. Date Change
4237.  
4238. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bahia_Banderas
4239. 208 844
4240. File
4241. Date Change
4242.  
4243. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Barbados
4244. 208 137
4245. File
4246. Date Change
4247.  
4248. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Barbados
4249. 208 137
4250. File
4251. Date Change
4252.  
4253. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Belem
4254. 208 297
4255. File
4256. Date Change
4257.  
4258. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Belem
4259. 208 297
4260. File
4261. Date Change
4262.  
4263. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Belize
4264. 208 513
4265. File
4266. Date Change
4267.  
4268. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Belize
4269. 208 513
4270. File
4271. Date Change
4272.  
4273. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Blanc-Sablon
4274. 208 93
4275. File
4276. Date Change
4277.  
4278. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Blanc-Sablon
4279. 208 93
4280. File
4281. Date Change
4282.  
4283. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Boa_Vista
4284. 208 329
4285. File
4286. Date Change
4287.  
4288. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Boa_Vista
4289. 208 329
4290. File
4291. Date Change
4292.  
4293. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bogota
4294. 208 89
4295. File
4296. Date Change
4297.  
4298. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Bogota
4299. 208 89
4300. File
4301. Date Change
4302.  
4303. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Boise
4304. 208 1284
4305. File
4306. Date Change
4307.  
4308. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Boise
4309. 208 1284
4310. File
4311. Date Change
4312.  
4313. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cambridge_Bay
4314. 208 1076
4315. File
4316. Date Change
4317.  
4318. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cambridge_Bay
4319. 208 1076
4320. File
4321. Date Change
4322.  
4323. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Campo_Grande
4324. 208 1116
4325. File
4326. Date Change
4327.  
4328. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Campo_Grande
4329. 208 1116
4330. File
4331. Date Change
4332.  
4333. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cancun
4334. 208 792
4335. File
4336. Date Change
4337.  
4338. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cancun
4339. 208 792
4340. File
4341. Date Change
4342.  
4343. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Caracas
4344. 208 85
4345. File
4346. Date Change
4347.  
4348. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Caracas
4349. 208 85
4350. File
4351. Date Change
4352.  
4353. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cayenne
4354. 208 77
4355. File
4356. Date Change
4357.  
4358. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cayenne
4359. 208 77
4360. File
4361. Date Change
4362.  
4363. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cayman
4364. 208 65
4365. File
4366. Date Change
4367.  
4368. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cayman
4369. 208 65
4370. File
4371. Date Change
4372.  
4373. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Chicago
4374. 208 1960
4375. File
4376. Date Change
4377.  
4378. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Chicago
4379. 208 1960
4380. File
4381. Date Change
4382.  
4383. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Chihuahua
4384. 208 816
4385. File
4386. Date Change
4387.  
4388. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Chihuahua
4389. 208 816
4390. File
4391. Date Change
4392.  
4393. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Costa_Rica
4394. 208 137
4395. File
4396. Date Change
4397.  
4398. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Costa_Rica
4399. 208 137
4400. File
4401. Date Change
4402.  
4403. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Creston
4404. 208 73
4405. File
4406. Date Change
4407.  
4408. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Creston
4409. 208 73
4410. File
4411. Date Change
4412.  
4413. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cuiaba
4414. 208 1100
4415. File
4416. Date Change
4417.  
4418. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Cuiaba
4419. 208 1100
4420. File
4421. Date Change
4422.  
4423. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Curacao
4424. 208 77
4425. File
4426. Date Change
4427.  
4428. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Curacao
4429. 208 77
4430. File
4431. Date Change
4432.  
4433. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Danmarkshavn
4434. 208 341
4435. File
4436. Date Change
4437.  
4438. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Danmarkshavn
4439. 208 341
4440. File
4441. Date Change
4442.  
4443. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dawson
4444. 208 1108
4445. File
4446. Date Change
4447.  
4448. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dawson
4449. 208 1108
4450. File
4451. Date Change
4452.  
4453. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dawson_Creek
4454. 208 509
4455. File
4456. Date Change
4457.  
4458. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dawson_Creek
4459. 208 509
4460. File
4461. Date Change
4462.  
4463. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Denver
4464. 208 1336
4465. File
4466. Date Change
4467.  
4468. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Denver
4469. 208 1336
4470. File
4471. Date Change
4472.  
4473. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Detroit
4474. 208 1200
4475. File
4476. Date Change
4477.  
4478. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Detroit
4479. 208 1200
4480. File
4481. Date Change
4482.  
4483. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dominica
4484. 208 65
4485. File
4486. Date Change
4487.  
4488. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Dominica
4489. 208 65
4490. File
4491. Date Change
4492.  
4493. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Edmonton
4494. 208 1316
4495. File
4496. Date Change
4497.  
4498. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Edmonton
4499. 208 1316
4500. File
4501. Date Change
4502.  
4503. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Eirunepe
4504. 208 321
4505. File
4506. Date Change
4507.  
4508. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Eirunepe
4509. 208 321
4510. File
4511. Date Change
4512.  
4513. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\El_Salvador
4514. 208 105
4515. File
4516. Date Change
4517.  
4518. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\El_Salvador
4519. 208 105
4520. File
4521. Date Change
4522.  
4523. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Fortaleza
4524. 208 377
4525. File
4526. Date Change
4527.  
4528. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Fortaleza
4529. 208 377
4530. File
4531. Date Change
4532.  
4533. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Glace_Bay
4534. 208 1204
4535. File
4536. Date Change
4537.  
4538. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Glace_Bay
4539. 208 1204
4540. File
4541. Date Change
4542.  
4543. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Godthab
4544. 208 1036
4545. File
4546. Date Change
4547.  
4548. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Godthab
4549. 208 1036
4550. File
4551. Date Change
4552.  
4553. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Goose_Bay
4554. 208 1728
4555. File
4556. Date Change
4557.  
4558. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Goose_Bay
4559. 208 1728
4560. File
4561. Date Change
4562.  
4563. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Grand_Turk
4564. 208 1044
4565. File
4566. Date Change
4567.  
4568. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Grand_Turk
4569. 208 1044
4570. File
4571. Date Change
4572.  
4573. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Grenada
4574. 208 65
4575. File
4576. Date Change
4577.  
4578. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Grenada
4579. 208 65
4580. File
4581. Date Change
4582.  
4583. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guadeloupe
4584. 208 65
4585. File
4586. Date Change
4587.  
4588. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guadeloupe
4589. 208 65
4590. File
4591. Date Change
4592.  
4593. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guatemala
4594. 208 137
4595. File
4596. Date Change
4597.  
4598. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guatemala
4599. 208 137
4600. File
4601. Date Change
4602.  
4603. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guayaquil
4604. 208 65
4605. File
4606. Date Change
4607.  
4608. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guayaquil
4609. 208 65
4610. File
4611. Date Change
4612.  
4613. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guyana
4614. 208 89
4615. File
4616. Date Change
4617.  
4618. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Guyana
4619. 208 89
4620. File
4621. Date Change
4622.  
4623. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Halifax
4624. 208 1908
4625. File
4626. Date Change
4627.  
4628. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Halifax
4629. 208 1908
4630. File
4631. Date Change
4632.  
4633. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Havana
4634. 208 1340
4635. File
4636. Date Change
4637.  
4638. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Havana
4639. 208 1340
4640. File
4641. Date Change
4642.  
4643. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Hermosillo
4644. 208 189
4645. File
4646. Date Change
4647.  
4648. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Hermosillo
4649. 208 189
4650. File
4651. Date Change
4652.  
4653. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Inuvik
4654. 208 1060
4655. File
4656. Date Change
4657.  
4658. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Inuvik
4659. 208 1060
4660. File
4661. Date Change
4662.  
4663. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Iqaluit
4664. 208 1064
4665. File
4666. Date Change
4667.  
4668. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Iqaluit
4669. 208 1064
4670. File
4671. Date Change
4672.  
4673. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Jamaica
4674. 208 233
4675. File
4676. Date Change
4677.  
4678. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Jamaica
4679. 208 233
4680. File
4681. Date Change
4682.  
4683. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Juneau
4684. 208 1224
4685. File
4686. Date Change
4687.  
4688. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Juneau
4689. 208 1224
4690. File
4691. Date Change
4692.  
4693. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\La_Paz
4694. 208 81
4695. File
4696. Date Change
4697.  
4698. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\La_Paz
4699. 208 81
4700. File
4701. Date Change
4702.  
4703. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Lima
4704. 208 185
4705. File
4706. Date Change
4707.  
4708. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Lima
4709. 208 185
4710. File
4711. Date Change
4712.  
4713. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Los_Angeles
4714. 208 1560
4715. File
4716. Date Change
4717.  
4718. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Los_Angeles
4719. 208 1560
4720. File
4721. Date Change
4722.  
4723. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Maceio
4724. 208 393
4725. File
4726. Date Change
4727.  
4728. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Maceio
4729. 208 393
4730. File
4731. Date Change
4732.  
4733. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Managua
4734. 208 185
4735. File
4736. Date Change
4737.  
4738. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Managua
4739. 208 185
4740. File
4741. Date Change
4742.  
4743. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Manaus
4744. 208 313
4745. File
4746. Date Change
4747.  
4748. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Manaus
4749. 208 313
4750. File
4751. Date Change
4752.  
4753. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Martinique
4754. 208 89
4755. File
4756. Date Change
4757.  
4758. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Martinique
4759. 208 89
4760. File
4761. Date Change
4762.  
4763. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Matamoros
4764. 208 788
4765. File
4766. Date Change
4767.  
4768. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Matamoros
4769. 208 788
4770. File
4771. Date Change
4772.  
4773. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Mazatlan
4774. 208 840
4775. File
4776. Date Change
4777.  
4778. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Mazatlan
4779. 208 840
4780. File
4781. Date Change
4782.  
4783. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Menominee
4784. 208 1216
4785. File
4786. Date Change
4787.  
4788. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Menominee
4789. 208 1216
4790. File
4791. Date Change
4792.  
4793. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Merida
4794. 208 788
4795. File
4796. Date Change
4797.  
4798. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Merida
4799. 208 788
4800. File
4801. Date Change
4802.  
4803. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Metlakatla
4804. 208 329
4805. File
4806. Date Change
4807.  
4808. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Metlakatla
4809. 208 329
4810. File
4811. Date Change
4812.  
4813. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Mexico_City
4814. 208 880
4815. File
4816. Date Change
4817.  
4818. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Mexico_City
4819. 208 880
4820. File
4821. Date Change
4822.  
4823. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Miquelon
4824. 208 928
4825. File
4826. Date Change
4827.  
4828. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Miquelon
4829. 208 928
4830. File
4831. Date Change
4832.  
4833. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Moncton
4834. 208 1732
4835. File
4836. Date Change
4837.  
4838. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Moncton
4839. 208 1732
4840. File
4841. Date Change
4842.  
4843. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Monterrey
4844. 208 788
4845. File
4846. Date Change
4847.  
4848. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Monterrey
4849. 208 788
4850. File
4851. Date Change
4852.  
4853. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montevideo
4854. 208 1152
4855. File
4856. Date Change
4857.  
4858. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montevideo
4859. 208 1152
4860. File
4861. Date Change
4862.  
4863. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montreal
4864. 208 1928
4865. File
4866. Date Change
4867.  
4868. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montreal
4869. 208 1928
4870. File
4871. Date Change
4872.  
4873. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montserrat
4874. 208 65
4875. File
4876. Date Change
4877.  
4878. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Montserrat
4879. 208 65
4880. File
4881. Date Change
4882.  
4883. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nassau
4884. 208 1284
4885. File
4886. Date Change
4887.  
4888. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nassau
4889. 208 1284
4890. File
4891. Date Change
4892.  
4893. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\New_York
4894. 208 1960
4895. File
4896. Date Change
4897.  
4898. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\New_York
4899. 208 1960
4900. File
4901. Date Change
4902.  
4903. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nipigon
4904. 208 1144
4905. File
4906. Date Change
4907.  
4908. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nipigon
4909. 208 1144
4910. File
4911. Date Change
4912.  
4913. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nome
4914. 208 1228
4915. File
4916. Date Change
4917.  
4918. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Nome
4919. 208 1228
4920. File
4921. Date Change
4922.  
4923. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Noronha
4924. 208 377
4925. File
4926. Date Change
4927.  
4928. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Noronha
4929. 208 377
4930. File
4931. Date Change
4932.  
4933. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Ojinaga
4934. 208 816
4935. File
4936. Date Change
4937.  
4938. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Ojinaga
4939. 208 816
4940. File
4941. Date Change
4942.  
4943. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Panama
4944. 208 65
4945. File
4946. Date Change
4947.  
4948. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Panama
4949. 208 65
4950. File
4951. Date Change
4952.  
4953. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Pangnirtung
4954. 208 1076
4955. File
4956. Date Change
4957.  
4958. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Pangnirtung
4959. 208 1076
4960. File
4961. Date Change
4962.  
4963. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Paramaribo
4964. 208 101
4965. File
4966. Date Change
4967.  
4968. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Paramaribo
4969. 208 101
4970. File
4971. Date Change
4972.  
4973. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Phoenix
4974. 208 141
4975. File
4976. Date Change
4977.  
4978. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Phoenix
4979. 208 141
4980. File
4981. Date Change
4982.  
4983. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Port-au-Prince
4984. 208 361
4985. File
4986. Date Change
4987.  
4988. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Port-au-Prince
4989. 208 361
4990. File
4991. Date Change
4992.  
4993. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Porto_Velho
4994. 208 297
4995. File
4996. Date Change
4997.  
4998. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Porto_Velho
4999. 208 297
5000. File
5001. Date Change
5002.  
5003. C:\Documents and Settings\admin\Application Data\Oracle\lib\zi\America\Port_of_Spain
5004. 208 65
5005. 641 Repeated items skipped
5006. Folder
5007. Created
5008.  
5009. C:\Documents and Settings\admin\lYqMlbWljCF
5010. 3760
5011. Javacall
5012.  
5013. Method: CONSTRUCTOR
5014. Params: [C:\Documents and Settings\admin\lYqMlbWljCF, ID.txt]
5015. Imagepath: c:\windows\system32\java.exe
5016. 3760
5017. File
5018. Created
5019.  
5020. C:\Documents and Settings\admin\lYqMlbWljCF\ID.txt
5021. 3760
5022. Malicious Alert
5023. Malware Family
5024.  
5025. Message: Trojan.Adwind Indicator
5026.  
5027. 75 Repeated items skipped
5028. Javacall
5029.  
5030. Method: exec
5031. Params: [ 'attrib' '+h' '"C:\Documents and Settings\admin\l
5032. YqMlbWljCF\*.*"']
5033. Imagepath: c:\windows\system32\java.exe
5034. 3760
5035. Javacall
5036.  
5037. Method: exec
5038. Params: [ 'attrib' '+h' '"C:\Documents and Settings\admin\l
5039. YqMlbWljCF\*.*"', null, null]
5040. Imagepath: c:\windows\system32\java.exe
5041. 3760
5042. Process
5043. Started
5044.  
5045. C:\WINDOWS\system32\attrib.exe
5046. Parentname: C:\WINDOWS\system32\java.exe
5047. Command Line: attrib +h "C:\Documents and Settings\admin\lYqMlbWljCF\*.*"
5048. MD5: e6d680494c812b82a15600fd23c94424
5049. SHA1: 6be7cccf384b1b05b08b7fc5ae5bc3bb3365cc55
5050. 608 3760 12288
5051. 31 Repeated items skipped
5052. File
5053. Failed
5054.  
5055. C:\Documents and Settings\admin\Application Data\Oracle\bin\LPK.DLL
5056. 1964
5057. File
5058. Failed
5059.  
5060. C:\Documents and Settings\admin\Application Data\Oracle\bin\USP10.dll
5061. 1964
5062. Regkey
5063. Setval
5064.  
5065. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
5066. n\Run\"RfTToxlmCJF" = "C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe" -ja
5067. r "C:\Documents and Settings\admin\lYqMlbWljCF\SPGYEJWAlst.LInDKC"
5068. 1064
5069. Malicious Alert
5070. Misc Anom
5071.  
5072. Message: Suspicious Persistence Activity
5073.  
5074. Malicious Alert
5075. Suspicious Persistance Activity
5076.  
5077. Message: Process setting jar load at startup
5078.  
5079. 2 Repeated items skipped
5080. QuerySystemTime
5081.  
5082. Imagepath: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5083. 1964
5084. Regkey
5085. Queryvalue
5086.  
5087. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5088. 1964
5089. DLL Loaded
5090.  
5091. Imagepath: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5092. DLL Path: C:\Documents and Settings\admin\Application Data\Oracle\bin\msvcr100.dll
5093. MD5: 67ec459e42d3081dd8fd34356f7cafc1
5094. SHA1: 1738050616169d5b17b5adac3ff0370b8c642734
5095. 1964
5096. Malicious Alert
5097. Generic Dll Load Activity
5098.  
5099. Message: DLL loaded
5100.  
5101. 14 Repeated items skipped
5102. API Call
5103.  
5104. API Name: GetLocalTime Address: 0x066a19db
5105. Params: [0xa3fd04]
5106. Imagepath: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe DLL Name: kernel32.dll
5107. 1964
5108. File
5109. Created
5110.  
5111. C:\WINDOWS\system32\FE2_20170307_165351.log
5112. 1964
5113. Malicious Alert
5114. Suspicious Directory
5115.  
5116. Message: File created/tampered/deleted in suspicious location
5117.  
5118. 364 Repeated items skipped
5119. Regkey
5120. Added
5121.  
5122. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Multimedia\Audio Comp
5123. ression Manager\Priority v4.00
5124. 2072
5125. Regkey
5126. Queryvalue
5127.  
5128. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5129. 2072
5130. Network
5131. Dns Query
5132.  
5133. Protocol Type: udp Qtype: Host Address Hostname: dam5i6.linkpc.net
5134. Imagepath: c:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5135. 1964
5136. Malicious Alert
5137. Network Activity
5138.  
5139. Message: Network outbound communication attempted
5140.  
5141. Network
5142. Dns Query Answer
5143.  
5144. Protocol Type: udp IP Address: 199.16.199.2 Hostname: dam5i6.linkpc.net
5145. Imagepath: c:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5146. 1964
5147. File
5148. Failed
5149.  
5150. C:\DOCUME~1\admin\LOCALS~1\Temp\regedit.exe
5151. 2072
5152. Network
5153. Connect
5154.  
5155. Protocol Type: tcp Destination Port: 2675 IP Address: 199.16.199.2
5156. Imagepath: c:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5157. 1964
5158. Malicious Alert
5159. Network Activity
5160.  
5161. Message: Network outbound communication attempted
5162.  
5163. 52 Repeated items skipped
5164. Regkey
5165. Setval
5166.  
5167. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\"SEE_MASK_NOZONECHECKS" =
5168. 1
5169. 1616
5170. Regkey
5171. Added
5172.  
5173. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAcco
5174. untControlSettings.exe
5175. 1616
5176. Regkey
5177. Setval
5178.  
5179. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAcco
5180. untControlSettings.exe\"debugger" = svchost.exe
5181. 1616
5182. Malicious Alert
5183. Suspicious Persistance Activity
5184.  
5185. Message: Process Setting Image File Execution Options
5186.  
5187. 402 Repeated items skipped
5188. Process
5189. Terminated
5190.  
5191. C:\WINDOWS\system32\cmd.exe
5192. Parentname: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5193. Command Line: N/A
5194. 2072 1964
5195. FirstRpidMemOp
5196. ReadVirtualMemory
5197.  
5198. Source: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5199. Target: N/A
5200.  
5201. 1964
5202. 504
5203.  
5204. Process
5205. Started
5206.  
5207. C:\WINDOWS\system32\taskkill.exe
5208. Parentname: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5209. Command Line: taskkill /IM Taskmgr.exe /T /F
5210. MD5: 3045293662b6602a2ee7d754c8f1edcc
5211. SHA1: 9e0b2195cb35efa069e70968b80547334b60429c
5212. 504 1964 76288
5213. Malicious Alert
5214. Misc Anom
5215.  
5216. Message: Security Tools/Utilities/Policies Tampered/Subverted/Disabled
5217.  
5218. Malicious Alert
5219. Security Tool Activity
5220.  
5221. Message: Security policies tampering
5222.  
5223. 841 Repeated items skipped
5224. Wmiquery
5225.  
5226. Imagepath: C:\WINDOWS\system32\taskkill.exe
5227. 3232
5228. Process
5229. Terminated
5230.  
5231. C:\WINDOWS\system32\taskkill.exe
5232. Parentname: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe
5233. Command Line: N/A
5234. 3232 1964
5235. API Call
5236.  
5237. API Name: Sleep Address: 0x066a1326
5238. Imagepath: C:\Documents and Settings\admin\Application Data\Oracle\bin\javaw.exe DLL Name: kernel32.dll
5239. 1964
5240. Malicious Alert
5241. High Repeated Sleep Calls
5242.  
5243. Message: High repeated sleep calls
5244.  
5245. 1571 Repeated items skipped
5246. Mutex
5247.  
5248. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
5249. 3044
5250. Mutex
5251.  
5252. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
5253. ltS-1-5-21-1409082233-688789844-725345543-1003
5254. 3044
5255. Malicious Alert
5256. Misc Anom
5257.  
5258. Message: Suspicious Java jar Indicator
5259.  
5260. OS Change Detail (version: 1.2727) | Items: 909 | OS Info: Microsoft Windows7 64-bit 6.1 sp1 16.1115 Top
5261. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
5262. Analysis
5263. Malware
5264.  
5265.  
5266. Application
5267.  
5268.  
5269. Os
5270.  
5271. Name: windows Version: 6.1.7601 Service Pack: 1 Arch: x64
5272.  
5273. Os Monitor
5274.  
5275. Version: 16R1 Build: 582114 Date: Nov 15 2016 Time: 17:25:53
5276.  
5277. Config Update
5278.  
5279.  
5280. Uac
5281. Service
5282.  
5283. Windows Image Acquisition (WIA)
5284.  
5285. Uac
5286. Service
5287.  
5288. Multimedia Class Scheduler
5289.  
5290. Uac
5291. Service
5292.  
5293. Multimedia Class Scheduler
5294.  
5295. Javacall
5296.  
5297. Method: getResourceAsStream
5298. Params: [/9be9f6isq9t1ad9opto80bh18kguqcb3u79uh0bed3taircu.
5299. gif]
5300. Imagepath: C:\windows\SysWOW64\java.exe
5301. 1668
5302. Javacall
5303.  
5304. Method: openStream Imagepath: C:\windows\SysWOW64\java.exe
5305. 1668
5306. Javacall
5307.  
5308. Method: getResourceAsStream
5309. Params: [/-65j7mj692komlevnjqk1c8dgs6e1t15rkspltlvgfqoefksk
5310. gkpvi21ig6gj3g1f.gif]
5311. Imagepath: C:\windows\SysWOW64\java.exe
5312. 1668
5313. Javacall
5314.  
5315. Method: getResourceAsStream
5316. Params: [/-no6q083avlup4e1rhms2gn5j13r5v5kgiov1kb9st5llm570
5317. 5moa8hils5ajtq5m30vmn99g0m1.gif]
5318. Imagepath: C:\windows\SysWOW64\java.exe
5319. 1668
5320. Javacall
5321.  
5322. Method: getResourceAsStream
5323. Params: [/-pv968smfdgk2svleupgjshksp1e3bto6v7a6gdp1qfhalill
5324. cv6btdkp0hn.gif]
5325. Imagepath: C:\windows\SysWOW64\java.exe
5326. 1668
5327. Javacall
5328.  
5329. Method: getResourceAsStream
5330. Params: [/-erike4uakjoskm2ik5kd195vnv4cl4n5ln2l5er0ip83atvo
5331. .gif]
5332. Imagepath: C:\windows\SysWOW64\java.exe
5333. 1668
5334. Javacall
5335.  
5336. Method: CONSTRUCTOR
5337. Params: [/C:/Users/Administrator/AppData/Local/Temp/PI - Re
5338. vised.jar]
5339. Imagepath: C:\windows\SysWOW64\java.exe
5340. 1668
5341. Javacall
5342.  
5343. Method: CONSTRUCTOR
5344. Params: [C:\Users\Administrator\AppData\Local\Temp\PI - Rev
5345. ised.jar]
5346. Imagepath: C:\windows\SysWOW64\java.exe
5347. 1668
5348. Javacall
5349.  
5350. Method: CONSTRUCTOR
5351. Params: [q2306731315500459642, null, -1, C:\Users\Administrator\AppData\Local\Temp\PI - Rev
5352. ised.jar/, 0x048A9764]
5353. Imagepath: C:\windows\SysWOW64\java.exe
5354. 1668
5355. Javacall
5356.  
5357. Method: getResourceAsStream
5358. Params: [/-1edd1f6pvtj2g12ld1loquqldvn5jcdpdkrtvhd.gif]
5359. Imagepath: C:\windows\SysWOW64\java.exe
5360. 1668
5361. Javacall
5362.  
5363. Method: getResourceAsStream
5364. Params: [/26ebpurt88hi7a3mbft1mu0hn8arkqrofcfied28odt123rol
5365. jk1rl8g2f9gnpieiqeuekkl31elvcgvpe01vqk6emqr208h
5366. phf0temciqe8bs7ptm2mhr1sc291j7i6dcckk9ab7j9dvs1
5367. cnqte1t6u6f2pahau6be6ej11mo6ehu0l0dn7j7c4rub0tg
5368. ubij48rsebmodn8oslbstcgak6r18mdq0ivjb37fi81ibu3
5369. tknt3im78f4f2fovf]
5370. Imagepath: C:\windows\SysWOW64\java.exe
5371. 1668
5372. Javacall
5373.  
5374. Method: getResourceAsStream
5375. Params: [/4ftv33g9veq2otoiaa3b264ntbekvsh72eelpk2fi0a23fep4
5376. 9dacjgblm6q7003ctse5l4udtlpnngpsn82255mfa8os4ju
5377. clpce5tgir3k8fsd0mg2qladuk3d216hoq6ittu1f7odp7j
5378. rqfqd7sggsmfmld121p94pd0a73ai1i6bd3flbe75i0m912
5379. ci407oqt0jdch8187gl835h9m151ljaejhmd18j0op1nk2b
5380. 6lv1r288vfa8dektp]
5381. Imagepath: C:\windows\SysWOW64\java.exe
5382. 1668
5383. Javacall
5384.  
5385. Method: getResourceAsStream
5386. Params: [/752nkbh63s35v4trc18v9dt4k1psgfcmv365p9t5a9bvqlhvo
5387. t1p3rcasrhme9d25u4luoo5dg2g953hrqbd5pdr871ts0ip
5388. ol7elu2utl9iacusj3uta5cqlmoh448vtnht3hshhnlondh
5389. kkkkrknvvgik1aivj82n3ngeh83h0lsp6oicao43fbtl9sb
5390. 6ged14dhkpbhktbie471e2enehcmebv4la6ljf6ui9rs7bj
5391. 4c1sgob76genhsulm]
5392. Imagepath: C:\windows\SysWOW64\java.exe
5393. 1668
5394. Javacall
5395.  
5396. Method: getResourceAsStream
5397. Params: [/7dl3ptd7tbkjv345ue8d846kefo8o7u2vnqd5vcha55gbql2d
5398. eldt5qp34amjico2u0b36pd4abg64ucs9ukggsr5v50mch2
5399. krv8vt9hv4c1d0uhjbg8a9nu62s9fog77epkr0ovep4979s
5400. 9lqhh64vrje1dq0us7mto3kl6hr91rtlf4p68e246cg9rl2
5401. 5v6091t7tmv63tg383phvrdjv6q391elv6pv7nhd7r00vs9
5402. r4oc3h0br3t6v121h]
5403. Imagepath: C:\windows\SysWOW64\java.exe
5404. 1668
5405. Javacall
5406.  
5407. Method: getResourceAsStream
5408. Params: [/3tp64r798a114eqbig0cvkjuko4b7g7fp7acb5ntd9nqasalb
5409. 3avo29prv12n5jek2lb0irs20lsarnvh9ks3bm0nqispo59
5410. rinlb07ji6acculote2t2rf7r8iuvmbgffk1s8qjhrq8ad6
5411. s9c15m0nba8v7ebfmc8nmdpbtv76ta48419hh40pokb2104
5412. 3npelmrk23sb00lu74klm8mla8su9q4gro8h0fii7mb61m3
5413. 8t347n61vd4d5ndii]
5414. Imagepath: C:\windows\SysWOW64\java.exe
5415. 1668
5416. Javacall
5417.  
5418. Method: getResourceAsStream
5419. Params: [/o/y/d/d/a/a.s]
5420. Imagepath: C:\windows\SysWOW64\java.exe
5421. 1668
5422. Javacall
5423.  
5424. Method: getResourceAsStream
5425. Params: [/d19nh5e75jl0c7kj1m95t81gu4ve0uh5e8d2ije1rn3qlv9ou
5426. dgcth0280m0m6nb4lne91oujevrt6o7ohlpecnsjt7o5hqh
5427. ls050sgja953jbp7i6qp1vurflqsrtjq04ac2scgnj8l8ka
5428. q3u0thcgoc1aum269vet9cd8hl73p2gacflu4b5tk7ssve2
5429. ouicie89qu2avim6ocejtvkh57e0tv1lhpj0n5r0bbgn451
5430. b5deb4fd0oei47029]
5431. Imagepath: C:\windows\SysWOW64\java.exe
5432. 1668
5433. Javacall
5434.  
5435. Method: getResourceAsStream
5436. Params: [/5mr08jvrncdqd649s7l8kpjuh31dqcbkoifcf5s61tvrbqecv
5437. fnbdhti5bjfjf5alaee5et4f3cfggirc3qt1niuq0f3fit1
5438. c21h227eofiktqe4kbl9fuvcjpom6iikom10k66966cuv7k
5439. a0ub2qk7hlidrl36cv5cal2nvhq7b94pl9t5d4g00kocpj0
5440. 8epk5ga7p9heb6qjk9u0lh6b2nr7jt37osup2ah79ks4ce3
5441. h327k1mkmituesbkc]
5442. Imagepath: C:\windows\SysWOW64\java.exe
5443. 1668
5444. Javacall
5445.  
5446. Method: getResourceAsStream
5447. Params: [/-7koglsldpr87c4n1fmgnlm5r57o5jckouk9aa2358gkq695j
5448. 44ql7ltofehm04iej3t5svja9lar5f886b8dj8rktd6jkiv
5449. vvj3ijtjqtenue36cark2gdsa4pb5t2ic7gecbsc4252piv
5450. fceaptu70i39fptvl1q21j1aph742hpffodqj4e7qbkfg66
5451. fra1qbac0bh2qh3qusplnmg94kjkscb82lg9tlk3247jvjl
5452. 8v3fsr078g4hbp2cf]
5453. Imagepath: C:\windows\SysWOW64\java.exe
5454. 1668
5455. Javacall
5456.  
5457. Method: getResourceAsStream
5458. Params: [/-37kf42mjrp9har7i5rileuv70n60dcp94712emjeor6noil5
5459. 846567fnbieuta29abj13p1sj3hhe63aoi2pqjur0evnnib
5460. mmvrji5q9r8lffd6ikdhp310sga7i8v0om7n4r6jviq392c
5461. 78mu9op9mfivi7k5lrc18vbcsksc39hi7d71bo1dp7ihchj
5462. ne795mi4iqc46n7sf08am3lrcsq1rhdn8slj5je53d43qk6
5463. 68o4b2o99u9f2rngg]
5464. Imagepath: C:\windows\SysWOW64\java.exe
5465. 1668
5466. Regkey
5467. Queryvalue
5468.  
5469. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5470. 1668
5471. Javacall
5472.  
5473. Method: getResourceAsStream
5474. Params: [/617llbcc0ngi10p2lgh0qnojk1tj0msl5so0s5f2nfcq4gn8i
5475. uqgilhaspo40dqquapatote391rv0q4sgvfgjdobq0cani4
5476. 015miebeh53sbfdgtfhqgl1lqbq59ru3svcdnv0c4a43n5i
5477. k5uevad4rg5vtg4bn2udqbcofd0jq74vusn60r5rphpn8b1
5478. ievjf8fpll8cjgbdc2rf5fou6dh04p4p81rdfao1dj4mgpr
5479. 1pirnp1kp2mp4n800]
5480. Imagepath: C:\windows\SysWOW64\java.exe
5481. 1668
5482. Javacall
5483.  
5484. Method: loadFromXML
5485. Params: [0x048A97FC]
5486. Imagepath: C:\windows\SysWOW64\java.exe
5487. 1668
5488. Javacall
5489.  
5490. Method: getResourceAsStream
5491. Params: [/ivDDwrKZ/kBadKz/hGfrGvG/mMfYL.qHG]
5492. Imagepath: C:\windows\SysWOW64\java.exe
5493. 1668
5494. Javacall
5495.  
5496. Method: getResourceAsStream
5497. Params: [/-3blebl3sqtb7326he2gdf7fs72bptlogtagqhlf9atkq8auj
5498. 6muu21sk81t6hdrf62ss8tq08lbfsn33en81543khj5fgdv
5499. 3njb9kduqq3bj269bedefg08kmepu5hiev8rdl1h173lgbp
5500. jpmb4vfasusbdpfuqp283cc6029kvct7c0vq26np5ijllso
5501. 90onsj2mgu5trvmkt52lfsfn29cv7baq8n897vmhdr9kf0i
5502. 26dfi9tq99d4ssnar]
5503. Imagepath: C:\windows\SysWOW64\java.exe
5504. 1668
5505. Javacall
5506.  
5507. Method: getResourceAsStream
5508. Params: [/-5ggim0caqin4cikuicorrf12q1uvkk1ki07oa7fvqudb2kp1
5509. 3l3kdtucq3qr9blm8qjlm1doae3tea80517i6v48m3p4dc4
5510. 8r5652cfvg5hd8ieteujd29gppc3ql3n6a04q4nibip1ke7
5511. 0p9f94aamummfeklicjcvlmbp07vv6geqegfbcm25344qqc
5512. 125rok7j3rv2qvopfm8faih7e144ahdihfqmuv5f2mbe29v
5513. m69p6gtjmfmfgu2a3]
5514. Imagepath: C:\windows\SysWOW64\java.exe
5515. 1668
5516. Javacall
5517.  
5518. Method: getResourceAsStream Imagepath: C:\windows\SysWOW64\java.exe
5519. 1668
5520. Javacall
5521.  
5522. Method: read
5523. Params: [#NOT_STRING_VECTOR#]
5524. Imagepath: C:\windows\SysWOW64\java.exe
5525. 1668
5526. Javacall
5527.  
5528. Method: read
5529. Params: [#NOT_STRING_VECTOR#]
5530. Imagepath: C:\windows\SysWOW64\java.exe
5531. 1668
5532. 3 Repeated items skipped
5533. Javacall
5534.  
5535. Method: loadFromXML
5536. Params: [0x048AA79C]
5537. Imagepath: C:\windows\SysWOW64\java.exe
5538. 1668
5539. Javacall
5540.  
5541. Method: read
5542. Params: [#NOT_STRING_VECTOR#]
5543. Imagepath: C:\windows\SysWOW64\java.exe
5544. 1668
5545. Javacall
5546.  
5547. Method: read
5548. Params: [#NOT_STRING_VECTOR#]
5549. Imagepath: C:\windows\SysWOW64\java.exe
5550. 1668
5551. 15 Repeated items skipped
5552. Javacall
5553.  
5554. Method: read Imagepath: C:\windows\SysWOW64\java.exe
5555. 1668
5556. Javacall
5557.  
5558. Method: read Imagepath: C:\windows\SysWOW64\java.exe
5559. 1668
5560. 7 Repeated items skipped
5561. Javacall
5562.  
5563. Method: CONSTRUCTOR
5564. Params: [0x048AAC9C]
5565. Imagepath: C:\windows\SysWOW64\java.exe
5566. 1668
5567. Javacall
5568.  
5569. Method: getProperty
5570. Params: [os.name]
5571. Imagepath: C:\windows\SysWOW64\java.exe
5572. 1668
5573. Javacall
5574.  
5575. Method: getProperty
5576. Params: [os.version]
5577. Imagepath: C:\windows\SysWOW64\java.exe
5578. 1668
5579. Javacall
5580.  
5581. Method: createTempFile
5582. Params: [Retrive, .vbs]
5583. Imagepath: C:\windows\SysWOW64\java.exe
5584. 1668
5585. File
5586. Created
5587.  
5588. C:\Users\Administrator\AppData\Local\Temp\Retrive1023015605935753857.vbs
5589. 2712
5590. File
5591. Close
5592.  
5593. C:\Users\Administrator\AppData\Local\Temp\Retrive1023015605935753857.vbs
5594. 2712
5595. Javacall
5596.  
5597. Method: exec
5598. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
5599. ppData\Local\Temp\Retrive6123470067192879035.vb
5600. s']
5601. Imagepath: C:\windows\SysWOW64\java.exe
5602. 1668
5603. Malicious Alert
5604. Malware Family
5605.  
5606. Message: Possible Adwind Indicator
5607.  
5608. Javacall
5609.  
5610. Method: exec
5611. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
5612. ppData\Local\Temp\Retrive6123470067192879035.vb
5613. s', null, null]
5614. Imagepath: C:\windows\SysWOW64\java.exe
5615. 1668
5616. File
5617. Overwritten
5618.  
5619. C:\Users\Administrator\AppData\Local\Temp\Retrive1023015605935753857.vbs
5620. 2712
5621. Malicious Alert
5622. Generic Non Exe Anomalous Activity
5623.  
5624. Message: File overwritten by non-executable
5625.  
5626. File
5627. Close
5628.  
5629. C:\Users\Administrator\AppData\Local\Temp\Retrive1023015605935753857.vbs
5630. MD5: 3bdfd33017806b85949b6faa7d4b98e4
5631. SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
5632. 2712 276
5633. File
5634. Created
5635.  
5636. C:\Users\Administrator\AppData\Local\Temp\Retrive6123470067192879035.vbs
5637. 1668
5638. File
5639. Close
5640.  
5641. C:\Users\Administrator\AppData\Local\Temp\Retrive6123470067192879035.vbs
5642. 1668
5643. File
5644. Overwritten
5645.  
5646. C:\Users\Administrator\AppData\Local\Temp\Retrive6123470067192879035.vbs
5647. 1668
5648. File
5649. Close
5650.  
5651. C:\Users\Administrator\AppData\Local\Temp\Retrive6123470067192879035.vbs
5652. MD5: 3bdfd33017806b85949b6faa7d4b98e4
5653. SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
5654. 1668 276
5655. Process
5656. Started
5657.  
5658. C:\Windows\SysWOW64\cmd.exe
5659. Parentname: C:\Windows\SysWOW64\java.exe
5660. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive1023015605935753857.vbs
5661. MD5: ad7b9c14083b52bc532fba5948342b98
5662. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
5663. 2928 2712 302592
5664. Malicious Alert
5665. Misc Anom
5666.  
5667. Message: Process started from jar
5668.  
5669. Malicious Alert
5670. Misc Anom
5671.  
5672. Message: Suspicious process
5673.  
5674. Process
5675. Started
5676.  
5677. C:\Windows\SysWOW64\cmd.exe
5678. Parentname: C:\Windows\SysWOW64\java.exe
5679. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive6123470067192879035.vbs
5680. MD5: ad7b9c14083b52bc532fba5948342b98
5681. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
5682. 2936 1668 302592
5683. Process
5684. Started
5685.  
5686. C:\Windows\SysWOW64\cscript.exe
5687. Parentname: C:\Windows\SysWOW64\cmd.exe
5688. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive6123470067192879035.vbs
5689. MD5: f36b7461fecdcf763fdefa3a3352cd45
5690. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
5691. 3036 2936 126976
5692. Process
5693. Started
5694.  
5695. C:\Windows\SysWOW64\cscript.exe
5696. Parentname: C:\Windows\SysWOW64\cmd.exe
5697. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive1023015605935753857.vbs
5698. MD5: f36b7461fecdcf763fdefa3a3352cd45
5699. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
5700. 3008 2928 126976
5701. Mutex
5702.  
5703. \Sessions\1\BaseNamedObjects\DBWinMutex
5704. 3036
5705. Mutex
5706.  
5707. \Sessions\1\BaseNamedObjects\DBWinMutex
5708. 3008
5709. Regkey
5710. Queryvalue
5711.  
5712. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5713. 3036
5714. Regkey
5715. Queryvalue
5716.  
5717. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5718. 3008
5719. 3 Repeated items skipped
5720. Wmiquery
5721.  
5722. Imagepath: C:\Windows\SysWOW64\cscript.exe
5723. 3036
5724. Malicious Alert
5725. Misc Anom
5726.  
5727. Message: Suspicious Evasion Activities
5728.  
5729. Wmiquery
5730.  
5731. Imagepath: C:\Windows\SysWOW64\cscript.exe
5732. 3008
5733. Process
5734. Terminated
5735.  
5736. C:\Windows\SysWOW64\cscript.exe
5737. Parentname: C:\Windows\SysWOW64\cmd.exe
5738. Command Line: N/A
5739. 3036 2936
5740. Javacall
5741.  
5742. Method: delete Imagepath: C:\windows\SysWOW64\java.exe
5743. 1668
5744. Javacall
5745.  
5746. Method: createTempFile
5747. Params: [Retrive, .vbs]
5748. Imagepath: C:\windows\SysWOW64\java.exe
5749. 1668
5750. Javacall
5751.  
5752. Method: exec
5753. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
5754. ppData\Local\Temp\Retrive7937755225211026578.vb
5755. s']
5756. Imagepath: C:\windows\SysWOW64\java.exe
5757. 1668
5758. Javacall
5759.  
5760. Method: exec
5761. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
5762. ppData\Local\Temp\Retrive7937755225211026578.vb
5763. s', null, null]
5764. Imagepath: C:\windows\SysWOW64\java.exe
5765. 1668
5766. Process
5767. Terminated
5768.  
5769. C:\Windows\SysWOW64\cmd.exe
5770. Parentname: C:\Windows\SysWOW64\java.exe
5771. Command Line: N/A
5772. 2936 1668
5773. File
5774. Delete
5775.  
5776. C:\Users\Administrator\AppData\Local\Temp\Retrive6123470067192879035.vbs
5777. MD5: 3bdfd33017806b85949b6faa7d4b98e4
5778. SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
5779. 1668 276
5780. Malicious Alert
5781. Generic Non Exe Anomalous Activity
5782.  
5783. Message: File deleted by non-executable
5784.  
5785. File
5786. Created
5787.  
5788. C:\Users\Administrator\AppData\Local\Temp\Retrive7937755225211026578.vbs
5789. 1668
5790. File
5791. Close
5792.  
5793. C:\Users\Administrator\AppData\Local\Temp\Retrive7937755225211026578.vbs
5794. 1668
5795. File
5796. Overwritten
5797.  
5798. C:\Users\Administrator\AppData\Local\Temp\Retrive7937755225211026578.vbs
5799. 1668
5800. File
5801. Close
5802.  
5803. C:\Users\Administrator\AppData\Local\Temp\Retrive7937755225211026578.vbs
5804. MD5: a32c109297ed1ca155598cd295c26611
5805. SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
5806. 1668 281
5807. Process
5808. Started
5809.  
5810. C:\Windows\SysWOW64\cmd.exe
5811. Parentname: C:\Windows\SysWOW64\java.exe
5812. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive7937755225211026578.vbs
5813. MD5: ad7b9c14083b52bc532fba5948342b98
5814. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
5815. 2112 1668 302592
5816. Process
5817. Terminated
5818.  
5819. C:\Windows\SysWOW64\cscript.exe
5820. Parentname: C:\Windows\SysWOW64\cmd.exe
5821. Command Line: N/A
5822. 3008 2928
5823. Process
5824. Terminated
5825.  
5826. C:\Windows\SysWOW64\cmd.exe
5827. Parentname: C:\Windows\SysWOW64\java.exe
5828. Command Line: N/A
5829. 2928 2712
5830. File
5831. Created
5832.  
5833. C:\Users\Administrator\AppData\Local\Temp\Retrive2459179430109991039.vbs
5834. 2712
5835. File
5836. Close
5837.  
5838. C:\Users\Administrator\AppData\Local\Temp\Retrive2459179430109991039.vbs
5839. 2712
5840. File
5841. Overwritten
5842.  
5843. C:\Users\Administrator\AppData\Local\Temp\Retrive2459179430109991039.vbs
5844. 2712
5845. File
5846. Close
5847.  
5848. C:\Users\Administrator\AppData\Local\Temp\Retrive2459179430109991039.vbs
5849. MD5: a32c109297ed1ca155598cd295c26611
5850. SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
5851. 2712 281
5852. Process
5853. Started
5854.  
5855. C:\Windows\SysWOW64\cmd.exe
5856. Parentname: C:\Windows\SysWOW64\java.exe
5857. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive2459179430109991039.vbs
5858. MD5: ad7b9c14083b52bc532fba5948342b98
5859. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
5860. 1592 2712 302592
5861. Process
5862. Started
5863.  
5864. C:\Windows\SysWOW64\cscript.exe
5865. Parentname: C:\Windows\SysWOW64\cmd.exe
5866. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive7937755225211026578.vbs
5867. MD5: f36b7461fecdcf763fdefa3a3352cd45
5868. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
5869. 2444 2112 126976
5870. Process
5871. Started
5872.  
5873. C:\Windows\SysWOW64\cscript.exe
5874. Parentname: C:\Windows\SysWOW64\cmd.exe
5875. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive2459179430109991039.vbs
5876. MD5: f36b7461fecdcf763fdefa3a3352cd45
5877. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
5878. 2556 1592 126976
5879. Mutex
5880.  
5881. \Sessions\1\BaseNamedObjects\DBWinMutex
5882. 2444
5883. Regkey
5884. Queryvalue
5885.  
5886. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5887. 2444
5888. Mutex
5889.  
5890. \Sessions\1\BaseNamedObjects\DBWinMutex
5891. 2556
5892. Regkey
5893. Queryvalue
5894.  
5895. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5896. 2556
5897. Regkey
5898. Queryvalue
5899.  
5900. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5901. 2444
5902. Wmiquery
5903.  
5904. Imagepath: C:\Windows\SysWOW64\cscript.exe
5905. 2444
5906. Regkey
5907. Queryvalue
5908.  
5909. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5910. 2556
5911. Process
5912. Terminated
5913.  
5914. C:\Windows\SysWOW64\cscript.exe
5915. Parentname: C:\Windows\SysWOW64\cmd.exe
5916. Command Line: N/A
5917. 2444 2112
5918. Javacall
5919.  
5920. Method: delete Imagepath: C:\windows\SysWOW64\java.exe
5921. 1668
5922. Process
5923. Terminated
5924.  
5925. C:\Windows\SysWOW64\cmd.exe
5926. Parentname: C:\Windows\SysWOW64\java.exe
5927. Command Line: N/A
5928. 2112 1668
5929. Javacall
5930.  
5931. Method: CONSTRUCTOR
5932. Params: [/etc/lsb-release-crunchbang]
5933. Imagepath: C:\windows\SysWOW64\java.exe
5934. 1668
5935. Javacall
5936.  
5937. Method: CONSTRUCTOR
5938. Params: [/etc/lsb-release]
5939. Imagepath: C:\windows\SysWOW64\java.exe
5940. 1668
5941. Javacall
5942.  
5943. Method: CONSTRUCTOR
5944. Params: [/etc/os-release]
5945. Imagepath: C:\windows\SysWOW64\java.exe
5946. 1668
5947. Javacall
5948.  
5949. Method: getProperty
5950. Params: [os.name]
5951. Imagepath: C:\windows\SysWOW64\java.exe
5952. 1668
5953. Javacall
5954.  
5955. Method: getProperty
5956. Params: [os.version]
5957. Imagepath: C:\windows\SysWOW64\java.exe
5958. 1668
5959. Javacall
5960.  
5961. Method: CONSTRUCTOR
5962. Params: [C:\Program Files (x86)\Oracle\VirtualBox Guest Add
5963. itions]
5964. Imagepath: C:\windows\SysWOW64\java.exe
5965. 1668
5966. Javacall
5967.  
5968. Method: getProperty
5969. Params: [java.home]
5970. Imagepath: C:\windows\SysWOW64\java.exe
5971. 1668
5972. Wmiquery
5973.  
5974. Imagepath: C:\Windows\SysWOW64\cscript.exe
5975. 2556
5976. Javacall
5977.  
5978. Method: CONSTRUCTOR
5979. Params: [C:\Users\Administrator\AppData\Roaming\Oracle\bin\
5980. javaw.exe]
5981. Imagepath: C:\windows\SysWOW64\java.exe
5982. 1668
5983. Javacall
5984.  
5985. Method: exec
5986. Params: [ 'xcopy' '"C:\Progra~2\Java\jre1.8.0_0"' '"C:\User
5987. s\Administrator\AppData\Roaming\Oracle\"' '/e']
5988. Imagepath: C:\windows\SysWOW64\java.exe
5989. 1668
5990. Javacall
5991.  
5992. Method: exec
5993. Params: [ 'xcopy' '"C:\Progra~2\Java\jre1.8.0_0"' '"C:\User
5994. s\Administrator\AppData\Roaming\Oracle\"' '/e', null, null]
5995. Imagepath: C:\windows\SysWOW64\java.exe
5996. 1668
5997. File
5998. Delete
5999.  
6000. C:\Users\Administrator\AppData\Local\Temp\Retrive7937755225211026578.vbs
6001. MD5: a32c109297ed1ca155598cd295c26611
6002. SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
6003. 1668 281
6004. Process
6005. Started
6006.  
6007. C:\Windows\SysWOW64\xcopy.exe
6008. Parentname: C:\Windows\SysWOW64\java.exe
6009. Command Line: xcopy "C:\Progra~2\Java\jre1.8.0_0" "C:\Users\Administrator\AppData\Roaming\Oracle\" /e
6010. MD5: 361d273773994ed11a6f1e51bbb4277e
6011. SHA1: 8a0b7dcefc9a59c51e0ddcf4062ba4d72cf11831
6012. 2452 1668 36864
6013. Process
6014. Terminated
6015.  
6016. C:\Windows\SysWOW64\cscript.exe
6017. Parentname: C:\Windows\SysWOW64\cmd.exe
6018. Command Line: N/A
6019. 2556 1592
6020. Process
6021. Terminated
6022.  
6023. C:\Windows\SysWOW64\cmd.exe
6024. Parentname: C:\Windows\SysWOW64\java.exe
6025. Command Line: N/A
6026. 1592 2712
6027. Regkey
6028. Queryvalue
6029.  
6030. \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\"Identifier"
6031. 2452
6032. Process
6033. Terminated
6034.  
6035. C:\Windows\SysWOW64\xcopy.exe
6036. Parentname: C:\Windows\SysWOW64\java.exe
6037. Command Line: N/A
6038. 2452 1668
6039. Javacall
6040.  
6041. Method: CONSTRUCTOR
6042. Params: [C:\Windows]
6043. Imagepath: C:\windows\SysWOW64\java.exe
6044. 1668
6045. Javacall
6046.  
6047. Method: CONSTRUCTOR
6048. Params: [0x048AAC9C, System32]
6049. Imagepath: C:\windows\SysWOW64\java.exe
6050. 1668
6051. Javacall
6052.  
6053. Method: CONSTRUCTOR
6054. Params: [0x048AAC9C, test.txt]
6055. Imagepath: C:\windows\SysWOW64\java.exe
6056. 1668
6057. File
6058. Created
6059.  
6060. C:\Windows\SysWOW64\test.txt
6061. 1668
6062. File
6063. Close
6064.  
6065. C:\Windows\SysWOW64\test.txt
6066. MD5: f9561e4a116fb712b448ff1615de98ba
6067. SHA1: 61b577b534a80871cec3ef073ca38b145f01fafa
6068. 1668 733
6069. Javacall
6070.  
6071. Method: getProperty
6072. Params: [os.name]
6073. Imagepath: C:\windows\SysWOW64\java.exe
6074. 1668
6075. Process
6076. Started
6077.  
6078. C:\Windows\SysWOW64\cmd.exe
6079. Parentname: C:\Windows\SysWOW64\java.exe
6080. Command Line: cmd.exe
6081. MD5: ad7b9c14083b52bc532fba5948342b98
6082. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
6083. 2244 1668 302592
6084. Javacall
6085.  
6086. Method: getProperty
6087. Params: [os.name]
6088. Imagepath: C:\windows\SysWOW64\java.exe
6089. 1668
6090. Javacall
6091.  
6092. Method: getProperty
6093. Params: [user.name]
6094. Imagepath: C:\windows\SysWOW64\java.exe
6095. 1668
6096. Javacall
6097.  
6098. Method: getProperty
6099. Params: [java.runtime.version]
6100. Imagepath: C:\windows\SysWOW64\java.exe
6101. 1668
6102. Javacall
6103.  
6104. Method: CONSTRUCTOR
6105. Params: [C:\Users\Administrator\AppData\Local\Temp\PI - Rev
6106. ised.jar]
6107. Imagepath: C:\windows\SysWOW64\java.exe
6108. 1668
6109. Javacall
6110.  
6111. Method: getProperty
6112. Params: [user.home]
6113. Imagepath: C:\windows\SysWOW64\java.exe
6114. 1668
6115. Javacall
6116.  
6117. Method: CONSTRUCTOR
6118. Params: [C:\Users\Administrator\lYqMlbWljCF]
6119. Imagepath: C:\windows\SysWOW64\java.exe
6120. 1668
6121. Javacall
6122.  
6123. Method: mkdirs Imagepath: C:\windows\SysWOW64\java.exe
6124. 1668
6125. Javacall
6126.  
6127. Method: CONSTRUCTOR
6128. Params: [C:\Users\Administrator\lYqMlbWljCF, ID.txt]
6129. Imagepath: C:\windows\SysWOW64\java.exe
6130. 1668
6131. Folder
6132. Created
6133.  
6134. C:\Users\Administrator\lYqMlbWljCF
6135. 1668
6136. File
6137. Created
6138.  
6139. C:\Users\Administrator\lYqMlbWljCF\ID.txt
6140. 1668
6141. Malicious Alert
6142. Malware Family
6143.  
6144. Message: Trojan.Adwind Indicator
6145.  
6146. File
6147. Close
6148.  
6149. C:\Users\Administrator\lYqMlbWljCF\ID.txt
6150. MD5: 0c74784f237f52c0f4e9af2ac6f66d46
6151. SHA1: 9e6988ff1fa1347a1e22385b3e4651c84aede2df
6152. 1668 47
6153. New Dialog Popup
6154.  
6155. Imagepath: C:\Windows\SysWOW64\java.exe
6156. 1668
6157. Javacall
6158.  
6159. Method: CONSTRUCTOR
6160. Params: [C:\Users\Administrator\lYqMlbWljCF]
6161. Imagepath: C:\windows\SysWOW64\java.exe
6162. 1668
6163. Javacall
6164.  
6165. Method: mkdirs Imagepath: C:\windows\SysWOW64\java.exe
6166. 1668
6167. Javacall
6168.  
6169. Method: CONSTRUCTOR
6170. Params: [0x05583C6C, SPGYEJWAlst.LInDKC]
6171. Imagepath: C:\windows\SysWOW64\java.exe
6172. 1668
6173. Javacall
6174.  
6175. Method: exec
6176. Params: [ 'reg' 'add' 'HKCU\Software\Microsoft\Windows\Curr
6177. entVersion\Run' '/v' 'RfTToxlmCJF' '/t' 'REG_EX
6178. PAND_SZ' '/d' '\"C:\Progra~2\Java\jre1.8.0_0\bi
6179. n\javaw.exe\" -j]
6180. Imagepath: C:\windows\SysWOW64\java.exe
6181. 1668
6182. Javacall
6183.  
6184. Method: exec
6185. Params: [ 'reg' 'add' 'HKCU\Software\Microsoft\Windows\Curr
6186. entVersion\Run' '/v' 'RfTToxlmCJF' '/t' 'REG_EX
6187. PAND_SZ' '/d' '\"C:\Progra~2\Java\jre1.8.0_0\bi
6188. n\javaw.exe\" -j, null, null]
6189. Imagepath: C:\windows\SysWOW64\java.exe
6190. 1668
6191. Process
6192. Started
6193.  
6194. C:\Windows\SysWOW64\reg.exe
6195. Parentname: C:\Windows\SysWOW64\java.exe
6196. Command Line: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v RfTToxlmCJF /t REG_EXPAND_SZ /d "\"C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe\" -jar \"C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LInDKC\"" /f
6197. MD5: d69a9abbb0d795f21995c2f48c1eb560
6198. SHA1: 8bd131b03d6ba865b228ca8ee3239d2ef2b90b74
6199. 2764 1668 62464
6200. Javacall
6201.  
6202. Method: CONSTRUCTOR
6203. Params: [C:\Users\Administrator\AppData\Local\Temp\PI - Rev
6204. ised.jar]
6205. Imagepath: C:\windows\SysWOW64\java.exe
6206. 1668
6207. Javacall
6208.  
6209. Method: CONSTRUCTOR
6210. Params: [0x05583C6C]
6211. Imagepath: C:\windows\SysWOW64\java.exe
6212. 1668
6213. Javacall
6214.  
6215. Method: CONSTRUCTOR
6216. Params: [0x05583C6C]
6217. Imagepath: C:\windows\SysWOW64\java.exe
6218. 1668
6219. Javacall
6220.  
6221. Method: read
6222. Params: [#NOT_STRING_VECTOR#]
6223. Imagepath: C:\windows\SysWOW64\java.exe
6224. 1668
6225. Javacall
6226.  
6227. Method: write
6228. Params: [#NOT_STRING_VECTOR#, 0, 4096]
6229. Imagepath: C:\windows\SysWOW64\java.exe
6230. 1668
6231. 39 Repeated items skipped
6232. Javacall
6233.  
6234. Method: read Imagepath: C:\windows\SysWOW64\java.exe
6235. 1668
6236. Javacall
6237.  
6238. Method: write Imagepath: C:\windows\SysWOW64\java.exe
6239. 1668
6240. 15 Repeated items skipped
6241. Javacall
6242.  
6243. Method: close Imagepath: C:\windows\SysWOW64\java.exe
6244. 1668
6245. Javacall
6246.  
6247. Method: close Imagepath: C:\windows\SysWOW64\java.exe
6248. 1668
6249. 3 Repeated items skipped
6250. Javacall
6251.  
6252. Method: CONSTRUCTOR
6253. Params: [C:\Users\Administrator\lYqMlbWljCF]
6254. Imagepath: C:\windows\SysWOW64\java.exe
6255. 1668
6256. File
6257. Created
6258.  
6259. C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LInDKC
6260. 1668
6261. Javacall
6262.  
6263. Method: exec
6264. Params: [ 'attrib' '+h' '"C:\Users\Administrator\lYqMlbWljC
6265. F\*.*"']
6266. Imagepath: C:\windows\SysWOW64\java.exe
6267. 1668
6268. Javacall
6269.  
6270. Method: exec
6271. Params: [ 'attrib' '+h' '"C:\Users\Administrator\lYqMlbWljC
6272. F\*.*"', null, null]
6273. Imagepath: C:\windows\SysWOW64\java.exe
6274. 1668
6275. File
6276. Close
6277.  
6278. C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LInDKC
6279. MD5: 688a691d688d832a5bf42548ad4491b3
6280. SHA1: ff2b19bc234beed2c2d41ae62925831f0ec77676
6281. 1668 533392
6282. Process
6283. Started
6284.  
6285. C:\Windows\SysWOW64\attrib.exe
6286. Parentname: C:\Windows\SysWOW64\java.exe
6287. Command Line: attrib +h "C:\Users\Administrator\lYqMlbWljCF\*.*"
6288. MD5: 459a5755afbb1cb3e67ca4c1296599e3
6289. SHA1: c10b6995861da38e538a1ffd5acc0bb3fc147a6c
6290. 2412 1668 16384
6291. Regkey
6292. Setval
6293.  
6294. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
6295. on\Run\"RfTToxlmCJF" = "C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe" -jar "C:\Users\Administrator\l
6296. YqMlbWljCF\SPGYEJWAlst.LInDKC"
6297. 2764
6298. Malicious Alert
6299. Suspicious Persistance Activity
6300.  
6301. Message: Process setting jar load at startup
6302.  
6303. Malicious Alert
6304. Misc Anom
6305.  
6306. Message: Suspicious Persistence Activity
6307.  
6308. Process
6309. Terminated
6310.  
6311. C:\Windows\SysWOW64\reg.exe
6312. Parentname: C:\Windows\SysWOW64\java.exe
6313. Command Line: N/A
6314. 2764 1668
6315. Javacall
6316.  
6317. Method: exec
6318. Params: [ 'attrib' '+h' '"C:\Users\Administrator\lYqMlbWljC
6319. F"']
6320. Imagepath: C:\windows\SysWOW64\java.exe
6321. 1668
6322. File
6323. Hide
6324.  
6325. C:\Users\Administrator\lYqMlbWljCF\ID.txt
6326. MD5: 0c74784f237f52c0f4e9af2ac6f66d46
6327. SHA1: 9e6988ff1fa1347a1e22385b3e4651c84aede2df
6328. 2412 47
6329. File
6330. Hide
6331.  
6332. C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LInDKC
6333. MD5: 688a691d688d832a5bf42548ad4491b3
6334. SHA1: ff2b19bc234beed2c2d41ae62925831f0ec77676
6335. 2412 533392
6336. Process
6337. Terminated
6338.  
6339. C:\Windows\SysWOW64\attrib.exe
6340. Parentname: C:\Windows\SysWOW64\java.exe
6341. Command Line: N/A
6342. 2412 1668
6343. Javacall
6344.  
6345. Method: exec
6346. Params: [ 'attrib' '+h' '"C:\Users\Administrator\lYqMlbWljC
6347. F"', null, null]
6348. Imagepath: C:\windows\SysWOW64\java.exe
6349. 1668
6350. Process
6351. Started
6352.  
6353. C:\Windows\SysWOW64\attrib.exe
6354. Parentname: C:\Windows\SysWOW64\java.exe
6355. Command Line: attrib +h "C:\Users\Administrator\lYqMlbWljCF"
6356. MD5: 459a5755afbb1cb3e67ca4c1296599e3
6357. SHA1: c10b6995861da38e538a1ffd5acc0bb3fc147a6c
6358. 2248 1668 16384
6359. Javacall
6360.  
6361. Method: getProperty
6362. Params: [java.io.tmpdir]
6363. Imagepath: C:\windows\SysWOW64\java.exe
6364. 1668
6365. Javacall
6366.  
6367. Method: CONSTRUCTOR
6368. Params: [C:\Users\ADMINI~1\AppData\Local\Temp\]
6369. Imagepath: C:\windows\SysWOW64\java.exe
6370. 1668
6371. Process
6372. Started
6373.  
6374. C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6375. Parentname: C:\Windows\SysWOW64\java.exe
6376. Command Line: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe -jar C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LInDKC
6377. MD5: 9dff2c8f4ce048322fcb10d38820d510
6378. SHA1: e584db967bd7ebfc4ee4def07ee173855981e49a
6379. 1376 1668 176024
6380. Folder
6381. Hide
6382.  
6383. C:\Users\Administrator\lYqMlbWljCF
6384. 2248
6385. Process
6386. Terminated
6387.  
6388. C:\Windows\SysWOW64\attrib.exe
6389. Parentname: C:\Windows\SysWOW64\java.exe
6390. Command Line: N/A
6391. 2248 1668
6392. Mutex
6393.  
6394. \Sessions\1\BaseNamedObjects\DBWinMutex
6395. 1376
6396. Regkey
6397. Queryvalue
6398.  
6399. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6400. 1376
6401. File
6402. Created
6403.  
6404. C:\Windows\SysWOW64\FE2_20170307_165332.log
6405. 1376
6406. Malicious Alert
6407. Suspicious Directory
6408.  
6409. Message: File created/tampered/deleted in suspicious location
6410.  
6411. Process
6412. Opened
6413.  
6414. Source: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6415. Target: C:\Windows\SysWOW64\java.exe
6416.  
6417. 1376
6418. 1668
6419.  
6420. Process
6421. Opened
6422.  
6423. Source: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6424. Target: C:\Windows\SysWOW64\java.exe
6425.  
6426. 1376
6427. 2712
6428.  
6429. File
6430. Created
6431.  
6432. C:\Users\Administrator\AppData\Local\Temp\hsperfdata_Administrator\1376
6433. 1376
6434. File
6435. Delete
6436.  
6437. C:\Users\Administrator\AppData\Local\Temp\hsperfdata_Administrator\1376
6438. 1376
6439. File
6440. Close
6441.  
6442. C:\Users\Administrator\AppData\Local\Temp\hsperfdata_Administrator\1668
6443. MD5: 52f1240cf59874f2253d0d10102f9a21
6444. SHA1: a41da5f4559eafddee3112d29fbe121fbb8832a0
6445. 1668 65536
6446. Javacall
6447.  
6448. Method: getResourceAsStream
6449. Params: [/9be9f6isq9t1ad9opto80bh18kguqcb3u79uh0bed3taircu.
6450. gif]
6451. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6452. 1376
6453. Javacall
6454.  
6455. Method: openStream Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6456. 1376
6457. Javacall
6458.  
6459. Method: getResourceAsStream
6460. Params: [/-65j7mj692komlevnjqk1c8dgs6e1t15rkspltlvgfqoefksk
6461. gkpvi21ig6gj3g1f.gif]
6462. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6463. 1376
6464. Javacall
6465.  
6466. Method: getResourceAsStream
6467. Params: [/-no6q083avlup4e1rhms2gn5j13r5v5kgiov1kb9st5llm570
6468. 5moa8hils5ajtq5m30vmn99g0m1.gif]
6469. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6470. 1376
6471. Javacall
6472.  
6473. Method: getResourceAsStream
6474. Params: [/-pv968smfdgk2svleupgjshksp1e3bto6v7a6gdp1qfhalill
6475. cv6btdkp0hn.gif]
6476. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6477. 1376
6478. Javacall
6479.  
6480. Method: getResourceAsStream
6481. Params: [/-erike4uakjoskm2ik5kd195vnv4cl4n5ln2l5er0ip83atvo
6482. .gif]
6483. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6484. 1376
6485. Javacall
6486.  
6487. Method: CONSTRUCTOR
6488. Params: [/C:/Users/Administrator/lYqMlbWljCF/SPGYEJWAlst.LI
6489. nDKC]
6490. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6491. 1376
6492. Javacall
6493.  
6494. Method: CONSTRUCTOR
6495. Params: [C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LIn
6496. DKC]
6497. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6498. 1376
6499. Javacall
6500.  
6501. Method: CONSTRUCTOR
6502. Params: [q4745819250453221581, null, -1, C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LIn
6503. DKC/, 0x048CA83C]
6504. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6505. 1376
6506. Javacall
6507.  
6508. Method: getResourceAsStream
6509. Params: [/-1edd1f6pvtj2g12ld1loquqldvn5jcdpdkrtvhd.gif]
6510. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6511. 1376
6512. Javacall
6513.  
6514. Method: getResourceAsStream
6515. Params: [/26ebpurt88hi7a3mbft1mu0hn8arkqrofcfied28odt123rol
6516. jk1rl8g2f9gnpieiqeuekkl31elvcgvpe01vqk6emqr208h
6517. phf0temciqe8bs7ptm2mhr1sc291j7i6dcckk9ab7j9dvs1
6518. cnqte1t6u6f2pahau6be6ej11mo6ehu0l0dn7j7c4rub0tg
6519. ubij48rsebmodn8oslbstcgak6r18mdq0ivjb37fi81ibu3
6520. tknt3im78f4f2fovf]
6521. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6522. 1376
6523. Javacall
6524.  
6525. Method: getResourceAsStream
6526. Params: [/4ftv33g9veq2otoiaa3b264ntbekvsh72eelpk2fi0a23fep4
6527. 9dacjgblm6q7003ctse5l4udtlpnngpsn82255mfa8os4ju
6528. clpce5tgir3k8fsd0mg2qladuk3d216hoq6ittu1f7odp7j
6529. rqfqd7sggsmfmld121p94pd0a73ai1i6bd3flbe75i0m912
6530. ci407oqt0jdch8187gl835h9m151ljaejhmd18j0op1nk2b
6531. 6lv1r288vfa8dektp]
6532. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6533. 1376
6534. Javacall
6535.  
6536. Method: getResourceAsStream
6537. Params: [/752nkbh63s35v4trc18v9dt4k1psgfcmv365p9t5a9bvqlhvo
6538. t1p3rcasrhme9d25u4luoo5dg2g953hrqbd5pdr871ts0ip
6539. ol7elu2utl9iacusj3uta5cqlmoh448vtnht3hshhnlondh
6540. kkkkrknvvgik1aivj82n3ngeh83h0lsp6oicao43fbtl9sb
6541. 6ged14dhkpbhktbie471e2enehcmebv4la6ljf6ui9rs7bj
6542. 4c1sgob76genhsulm]
6543. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6544. 1376
6545. Javacall
6546.  
6547. Method: getResourceAsStream
6548. Params: [/7dl3ptd7tbkjv345ue8d846kefo8o7u2vnqd5vcha55gbql2d
6549. eldt5qp34amjico2u0b36pd4abg64ucs9ukggsr5v50mch2
6550. krv8vt9hv4c1d0uhjbg8a9nu62s9fog77epkr0ovep4979s
6551. 9lqhh64vrje1dq0us7mto3kl6hr91rtlf4p68e246cg9rl2
6552. 5v6091t7tmv63tg383phvrdjv6q391elv6pv7nhd7r00vs9
6553. r4oc3h0br3t6v121h]
6554. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6555. 1376
6556. Javacall
6557.  
6558. Method: getResourceAsStream
6559. Params: [/3tp64r798a114eqbig0cvkjuko4b7g7fp7acb5ntd9nqasalb
6560. 3avo29prv12n5jek2lb0irs20lsarnvh9ks3bm0nqispo59
6561. rinlb07ji6acculote2t2rf7r8iuvmbgffk1s8qjhrq8ad6
6562. s9c15m0nba8v7ebfmc8nmdpbtv76ta48419hh40pokb2104
6563. 3npelmrk23sb00lu74klm8mla8su9q4gro8h0fii7mb61m3
6564. 8t347n61vd4d5ndii]
6565. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6566. 1376
6567. Javacall
6568.  
6569. Method: getResourceAsStream
6570. Params: [/o/y/d/d/a/a.s]
6571. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6572. 1376
6573. Javacall
6574.  
6575. Method: getResourceAsStream
6576. Params: [/d19nh5e75jl0c7kj1m95t81gu4ve0uh5e8d2ije1rn3qlv9ou
6577. dgcth0280m0m6nb4lne91oujevrt6o7ohlpecnsjt7o5hqh
6578. ls050sgja953jbp7i6qp1vurflqsrtjq04ac2scgnj8l8ka
6579. q3u0thcgoc1aum269vet9cd8hl73p2gacflu4b5tk7ssve2
6580. ouicie89qu2avim6ocejtvkh57e0tv1lhpj0n5r0bbgn451
6581. b5deb4fd0oei47029]
6582. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6583. 1376
6584. Javacall
6585.  
6586. Method: getResourceAsStream
6587. Params: [/5mr08jvrncdqd649s7l8kpjuh31dqcbkoifcf5s61tvrbqecv
6588. fnbdhti5bjfjf5alaee5et4f3cfggirc3qt1niuq0f3fit1
6589. c21h227eofiktqe4kbl9fuvcjpom6iikom10k66966cuv7k
6590. a0ub2qk7hlidrl36cv5cal2nvhq7b94pl9t5d4g00kocpj0
6591. 8epk5ga7p9heb6qjk9u0lh6b2nr7jt37osup2ah79ks4ce3
6592. h327k1mkmituesbkc]
6593. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6594. 1376
6595. Javacall
6596.  
6597. Method: getResourceAsStream
6598. Params: [/-7koglsldpr87c4n1fmgnlm5r57o5jckouk9aa2358gkq695j
6599. 44ql7ltofehm04iej3t5svja9lar5f886b8dj8rktd6jkiv
6600. vvj3ijtjqtenue36cark2gdsa4pb5t2ic7gecbsc4252piv
6601. fceaptu70i39fptvl1q21j1aph742hpffodqj4e7qbkfg66
6602. fra1qbac0bh2qh3qusplnmg94kjkscb82lg9tlk3247jvjl
6603. 8v3fsr078g4hbp2cf]
6604. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6605. 1376
6606. Javacall
6607.  
6608. Method: getResourceAsStream
6609. Params: [/-37kf42mjrp9har7i5rileuv70n60dcp94712emjeor6noil5
6610. 846567fnbieuta29abj13p1sj3hhe63aoi2pqjur0evnnib
6611. mmvrji5q9r8lffd6ikdhp310sga7i8v0om7n4r6jviq392c
6612. 78mu9op9mfivi7k5lrc18vbcsksc39hi7d71bo1dp7ihchj
6613. ne795mi4iqc46n7sf08am3lrcsq1rhdn8slj5je53d43qk6
6614. 68o4b2o99u9f2rngg]
6615. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6616. 1376
6617. Javacall
6618.  
6619. Method: getResourceAsStream
6620. Params: [/617llbcc0ngi10p2lgh0qnojk1tj0msl5so0s5f2nfcq4gn8i
6621. uqgilhaspo40dqquapatote391rv0q4sgvfgjdobq0cani4
6622. 015miebeh53sbfdgtfhqgl1lqbq59ru3svcdnv0c4a43n5i
6623. k5uevad4rg5vtg4bn2udqbcofd0jq74vusn60r5rphpn8b1
6624. ievjf8fpll8cjgbdc2rf5fou6dh04p4p81rdfao1dj4mgpr
6625. 1pirnp1kp2mp4n800]
6626. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6627. 1376
6628. Javacall
6629.  
6630. Method: loadFromXML
6631. Params: [0x048CA8D4]
6632. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6633. 1376
6634. Javacall
6635.  
6636. Method: getResourceAsStream
6637. Params: [/ivDDwrKZ/kBadKz/hGfrGvG/mMfYL.qHG]
6638. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6639. 1376
6640. Javacall
6641.  
6642. Method: getResourceAsStream
6643. Params: [/-3blebl3sqtb7326he2gdf7fs72bptlogtagqhlf9atkq8auj
6644. 6muu21sk81t6hdrf62ss8tq08lbfsn33en81543khj5fgdv
6645. 3njb9kduqq3bj269bedefg08kmepu5hiev8rdl1h173lgbp
6646. jpmb4vfasusbdpfuqp283cc6029kvct7c0vq26np5ijllso
6647. 90onsj2mgu5trvmkt52lfsfn29cv7baq8n897vmhdr9kf0i
6648. 26dfi9tq99d4ssnar]
6649. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6650. 1376
6651. Javacall
6652.  
6653. Method: getResourceAsStream
6654. Params: [/-5ggim0caqin4cikuicorrf12q1uvkk1ki07oa7fvqudb2kp1
6655. 3l3kdtucq3qr9blm8qjlm1doae3tea80517i6v48m3p4dc4
6656. 8r5652cfvg5hd8ieteujd29gppc3ql3n6a04q4nibip1ke7
6657. 0p9f94aamummfeklicjcvlmbp07vv6geqegfbcm25344qqc
6658. 125rok7j3rv2qvopfm8faih7e144ahdihfqmuv5f2mbe29v
6659. m69p6gtjmfmfgu2a3]
6660. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6661. 1376
6662. Javacall
6663.  
6664. Method: getResourceAsStream Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6665. 1376
6666. Javacall
6667.  
6668. Method: read
6669. Params: [#NOT_STRING_VECTOR#]
6670. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6671. 1376
6672. Javacall
6673.  
6674. Method: read
6675. Params: [#NOT_STRING_VECTOR#]
6676. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6677. 1376
6678. 3 Repeated items skipped
6679. Javacall
6680.  
6681. Method: loadFromXML
6682. Params: [0x048CB874]
6683. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6684. 1376
6685. Javacall
6686.  
6687. Method: read
6688. Params: [#NOT_STRING_VECTOR#]
6689. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6690. 1376
6691. Javacall
6692.  
6693. Method: read
6694. Params: [#NOT_STRING_VECTOR#]
6695. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6696. 1376
6697. 15 Repeated items skipped
6698. Javacall
6699.  
6700. Method: read Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6701. 1376
6702. Javacall
6703.  
6704. Method: read Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6705. 1376
6706. 7 Repeated items skipped
6707. Process
6708. Terminated
6709.  
6710. C:\Windows\SysWOW64\java.exe
6711. Parentname: n/a
6712. Command Line: N/A
6713. 1668 1956
6714. File
6715. Close
6716.  
6717. C:\Windows\SysWOW64\FE2_20170307_165318.log
6718. 1668
6719. Process
6720. Terminated
6721.  
6722. C:\Windows\SysWOW64\cmd.exe
6723. Parentname: C:\Windows\SysWOW64\java.exe
6724. Command Line: N/A
6725. 2244 1668
6726. Javacall
6727.  
6728. Method: CONSTRUCTOR
6729. Params: [0x048CBE14]
6730. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6731. 1376
6732. Javacall
6733.  
6734. Method: getProperty
6735. Params: [os.name]
6736. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6737. 1376
6738. Javacall
6739.  
6740. Method: getProperty
6741. Params: [os.version]
6742. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6743. 1376
6744. Javacall
6745.  
6746. Method: createTempFile
6747. Params: [Retrive, .vbs]
6748. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6749. 1376
6750. Javacall
6751.  
6752. Method: exec
6753. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
6754. ppData\Local\Temp\Retrive1043929998812268036.vb
6755. s']
6756. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6757. 1376
6758. Javacall
6759.  
6760. Method: exec
6761. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
6762. ppData\Local\Temp\Retrive1043929998812268036.vb
6763. s', null, null]
6764. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6765. 1376
6766. File
6767. Created
6768.  
6769. C:\Users\Administrator\AppData\Local\Temp\Retrive1043929998812268036.vbs
6770. 1376
6771. File
6772. Close
6773.  
6774. C:\Users\Administrator\AppData\Local\Temp\Retrive1043929998812268036.vbs
6775. 1376
6776. File
6777. Overwritten
6778.  
6779. C:\Users\Administrator\AppData\Local\Temp\Retrive1043929998812268036.vbs
6780. 1376
6781. File
6782. Close
6783.  
6784. C:\Users\Administrator\AppData\Local\Temp\Retrive1043929998812268036.vbs
6785. MD5: 3bdfd33017806b85949b6faa7d4b98e4
6786. SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
6787. 1376 276
6788. Process
6789. Started
6790.  
6791. C:\Windows\SysWOW64\cmd.exe
6792. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6793. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive1043929998812268036.vbs
6794. MD5: ad7b9c14083b52bc532fba5948342b98
6795. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
6796. 892 1376 302592
6797. Mutex
6798.  
6799. \Sessions\1\BaseNamedObjects\DBWinMutex
6800. 892
6801. Regkey
6802. Queryvalue
6803.  
6804. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6805. 892
6806. Process
6807. Started
6808.  
6809. C:\Windows\SysWOW64\cscript.exe
6810. Parentname: C:\Windows\SysWOW64\cmd.exe
6811. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive1043929998812268036.vbs
6812. MD5: f36b7461fecdcf763fdefa3a3352cd45
6813. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
6814. 1740 892 126976
6815. Mutex
6816.  
6817. \Sessions\1\BaseNamedObjects\DBWinMutex
6818. 1740
6819. Regkey
6820. Queryvalue
6821.  
6822. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6823. 1740
6824. 2 Repeated items skipped
6825. Wmiquery
6826.  
6827. Imagepath: C:\Windows\SysWOW64\cscript.exe
6828. 1740
6829. Process
6830. Terminated
6831.  
6832. C:\Windows\SysWOW64\cscript.exe
6833. Parentname: C:\Windows\SysWOW64\cmd.exe
6834. Command Line: N/A
6835. 1740 892
6836. Javacall
6837.  
6838. Method: delete Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6839. 1376
6840. Javacall
6841.  
6842. Method: createTempFile
6843. Params: [Retrive, .vbs]
6844. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6845. 1376
6846. Javacall
6847.  
6848. Method: exec
6849. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
6850. ppData\Local\Temp\Retrive835896196415185864.vbs
6851. ']
6852. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6853. 1376
6854. Javacall
6855.  
6856. Method: exec
6857. Params: [ 'cmd.exe' '/C' 'cscript.exe' 'C:\Users\ADMINI~1\A
6858. ppData\Local\Temp\Retrive835896196415185864.vbs
6859. ', null, null]
6860. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6861. 1376
6862. Process
6863. Terminated
6864.  
6865. C:\Windows\SysWOW64\cmd.exe
6866. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6867. Command Line: N/A
6868. 892 1376
6869. File
6870. Delete
6871.  
6872. C:\Users\Administrator\AppData\Local\Temp\Retrive1043929998812268036.vbs
6873. MD5: 3bdfd33017806b85949b6faa7d4b98e4
6874. SHA1: f92844fee69ef98db6e68931adfaa9a0a0f8ce66
6875. 1376 276
6876. File
6877. Created
6878.  
6879. C:\Users\Administrator\AppData\Local\Temp\Retrive835896196415185864.vbs
6880. 1376
6881. File
6882. Close
6883.  
6884. C:\Users\Administrator\AppData\Local\Temp\Retrive835896196415185864.vbs
6885. 1376
6886. File
6887. Overwritten
6888.  
6889. C:\Users\Administrator\AppData\Local\Temp\Retrive835896196415185864.vbs
6890. 1376
6891. File
6892. Close
6893.  
6894. C:\Users\Administrator\AppData\Local\Temp\Retrive835896196415185864.vbs
6895. MD5: a32c109297ed1ca155598cd295c26611
6896. SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
6897. 1376 281
6898. Process
6899. Started
6900.  
6901. C:\Windows\SysWOW64\cmd.exe
6902. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
6903. Command Line: cmd.exe /C cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive835896196415185864.vbs
6904. MD5: ad7b9c14083b52bc532fba5948342b98
6905. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
6906. 2288 1376 302592
6907. Mutex
6908.  
6909. \Sessions\1\BaseNamedObjects\DBWinMutex
6910. 2288
6911. Regkey
6912. Queryvalue
6913.  
6914. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6915. 2288
6916. Process
6917. Started
6918.  
6919. C:\Windows\SysWOW64\cscript.exe
6920. Parentname: C:\Windows\SysWOW64\cmd.exe
6921. Command Line: cscript.exe C:\Users\ADMINI~1\AppData\Local\Temp\Retrive835896196415185864.vbs
6922. MD5: f36b7461fecdcf763fdefa3a3352cd45
6923. SHA1: d1b9ba6fd3aa56b96f5375136798fe9dfc927f72
6924. 2152 2288 126976
6925. Mutex
6926.  
6927. \Sessions\1\BaseNamedObjects\DBWinMutex
6928. 2152
6929. Regkey
6930. Queryvalue
6931.  
6932. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6933. 2152
6934. 2 Repeated items skipped
6935. Wmiquery
6936.  
6937. Imagepath: C:\Windows\SysWOW64\cscript.exe
6938. 2152
6939. Process
6940. Terminated
6941.  
6942. C:\Windows\SysWOW64\cscript.exe
6943. Parentname: C:\Windows\SysWOW64\cmd.exe
6944. Command Line: N/A
6945. 2152 2288
6946. Javacall
6947.  
6948. Method: delete Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6949. 1376
6950. Javacall
6951.  
6952. Method: CONSTRUCTOR
6953. Params: [/etc/lsb-release-crunchbang]
6954. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6955. 1376
6956. Javacall
6957.  
6958. Method: CONSTRUCTOR
6959. Params: [/etc/lsb-release]
6960. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6961. 1376
6962. Javacall
6963.  
6964. Method: CONSTRUCTOR
6965. Params: [/etc/os-release]
6966. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6967. 1376
6968. Javacall
6969.  
6970. Method: getProperty
6971. Params: [os.name]
6972. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6973. 1376
6974. Javacall
6975.  
6976. Method: getProperty
6977. Params: [os.version]
6978. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6979. 1376
6980. Javacall
6981.  
6982. Method: CONSTRUCTOR
6983. Params: [C:\Program Files (x86)\Oracle\VirtualBox Guest Add
6984. itions]
6985. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6986. 1376
6987. Javacall
6988.  
6989. Method: getProperty
6990. Params: [java.home]
6991. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6992. 1376
6993. Javacall
6994.  
6995. Method: CONSTRUCTOR
6996. Params: [C:\Users\Administrator\AppData\Roaming\Oracle\bin\
6997. javaw.exe]
6998. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
6999. 1376
7000. Javacall
7001.  
7002. Method: CONSTRUCTOR
7003. Params: [C:\Windows]
7004. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7005. 1376
7006. Javacall
7007.  
7008. Method: CONSTRUCTOR
7009. Params: [0x048CBE14, System32]
7010. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7011. 1376
7012. Javacall
7013.  
7014. Method: CONSTRUCTOR
7015. Params: [0x048CBE14, test.txt]
7016. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7017. 1376
7018. Javacall
7019.  
7020. Method: getProperty
7021. Params: [os.name]
7022. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7023. 1376
7024. Process
7025. Terminated
7026.  
7027. C:\Windows\SysWOW64\cmd.exe
7028. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7029. Command Line: N/A
7030. 2288 1376
7031. File
7032. Delete
7033.  
7034. C:\Users\Administrator\AppData\Local\Temp\Retrive835896196415185864.vbs
7035. MD5: a32c109297ed1ca155598cd295c26611
7036. SHA1: dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
7037. 1376 281
7038. File
7039. Overwritten
7040.  
7041. C:\Windows\SysWOW64\test.txt
7042. MD5: f9561e4a116fb712b448ff1615de98ba
7043. SHA1: 61b577b534a80871cec3ef073ca38b145f01fafa
7044. 1376 733
7045. File
7046. Close
7047.  
7048. C:\Windows\SysWOW64\test.txt
7049. MD5: 37d0a0074cc2b19a04358f985eada690
7050. SHA1: 1a6284b9c630eeb494ae3595cfb0086a4ad19097
7051. 1376 350
7052. Process
7053. Started
7054.  
7055. C:\Windows\SysWOW64\cmd.exe
7056. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7057. Command Line: cmd.exe
7058. MD5: ad7b9c14083b52bc532fba5948342b98
7059. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
7060. 1720 1376 302592
7061. Mutex
7062.  
7063. \Sessions\1\BaseNamedObjects\DBWinMutex
7064. 1720
7065. Regkey
7066. Queryvalue
7067.  
7068. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7069. 1720
7070. Javacall
7071.  
7072. Method: getProperty
7073. Params: [os.name]
7074. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7075. 1376
7076. Javacall
7077.  
7078. Method: getProperty
7079. Params: [user.name]
7080. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7081. 1376
7082. Javacall
7083.  
7084. Method: getProperty
7085. Params: [java.runtime.version]
7086. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7087. 1376
7088. Javacall
7089.  
7090. Method: CONSTRUCTOR
7091. Params: [C:\Users\Administrator\lYqMlbWljCF\SPGYEJWAlst.LIn
7092. DKC]
7093. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7094. 1376
7095. Javacall
7096.  
7097. Method: getProperty
7098. Params: [user.home]
7099. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7100. 1376
7101. Javacall
7102.  
7103. Method: CONSTRUCTOR
7104. Params: [C:\Users\Administrator\lYqMlbWljCF]
7105. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7106. 1376
7107. Javacall
7108.  
7109. Method: mkdirs Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7110. 1376
7111. Javacall
7112.  
7113. Method: CONSTRUCTOR
7114. Params: [C:\Users\Administrator\lYqMlbWljCF, ID.txt]
7115. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7116. 1376
7117. Javacall
7118.  
7119. Method: CONSTRUCTOR
7120. Params: [0x055E90B4]
7121. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7122. 1376
7123. Javacall
7124.  
7125. Method: close Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7126. 1376
7127. Javacall
7128.  
7129. Method: CONSTRUCTOR
7130. Params: [C:\Users\Administrator\lYqMlbWljCF]
7131. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7132. 1376
7133. Javacall
7134.  
7135. Method: mkdirs Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7136. 1376
7137. Javacall
7138.  
7139. Method: CONSTRUCTOR
7140. Params: [0x055E90B4, SPGYEJWAlst.LInDKC]
7141. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7142. 1376
7143. Javacall
7144.  
7145. Method: CONSTRUCTOR
7146. Params: [C:\Users\Administrator\lYqMlbWljCF, aWDEAEIgloC]
7147. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7148. 1376
7149. Javacall
7150.  
7151. Method: mkdirs Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7152. 1376
7153. Folder
7154. Created
7155.  
7156. C:\Users\Administrator\lYqMlbWljCF\aWDEAEIgloC
7157. 1376
7158. Javacall
7159.  
7160. Method: createTempFile
7161. Params: [bnbOYvIjjk, .reg]
7162. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7163. 1376
7164. File
7165. Created
7166.  
7167. C:\Users\Administrator\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7168. 1376
7169. File
7170. Close
7171.  
7172. C:\Users\Administrator\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7173. 1376
7174. File
7175. Overwritten
7176.  
7177. C:\Users\Administrator\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7178. 1376
7179. Javacall
7180.  
7181. Method: exec
7182. Params: [ 'taskkill' '/IM' 'UserAccountControlSettings.exe'
7183. '/T' '/F']
7184. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7185. 1376
7186. Javacall
7187.  
7188. Method: exec
7189. Params: [ 'cmd.exe' '/c' 'regedit.exe' '/s' 'C:\Users\ADMIN
7190. I~1\AppData\Local\Temp\bnbOYvIjjk58510863891422
7191. 95130.reg']
7192. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7193. 1376
7194. Javacall
7195.  
7196. Method: exec
7197. Params: [ 'taskkill' '/IM' 'UserAccountControlSettings.exe'
7198. '/T' '/F', null, null]
7199. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7200. 1376
7201. Javacall
7202.  
7203. Method: exec
7204. Params: [ 'cmd.exe' '/c' 'regedit.exe' '/s' 'C:\Users\ADMIN
7205. I~1\AppData\Local\Temp\bnbOYvIjjk58510863891422
7206. 95130.reg', null, null]
7207. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7208. 1376
7209. File
7210. Close
7211.  
7212. C:\Users\Administrator\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7213. MD5: 7f97f5f336944d427c03cc730c636b8f
7214. SHA1: 8a50c72b4580c20d4a7bfc7af8f12671bf6715ae
7215. 1376 27926
7216. Network
7217. Dns Query
7218.  
7219. Protocol Type: udp Qtype: Host Address Hostname: dam5i6.linkpc.net
7220. Imagepath: c:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7221. 1376
7222. Malicious Alert
7223. Network Activity
7224.  
7225. Message: Network outbound communication attempted
7226.  
7227. Network
7228. Dns Query Answer
7229.  
7230. Protocol Type: udp IP Address: 199.16.199.2 Hostname: dam5i6.linkpc.net
7231. Imagepath: c:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7232. 1376
7233. Network
7234. Connect
7235.  
7236. Protocol Type: tcp Destination Port: 2675 IP Address: 199.16.199.2
7237. Imagepath: c:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7238. 1376
7239. Malicious Alert
7240. Network Activity
7241.  
7242. Message: Network outbound communication attempted
7243.  
7244. Process
7245. Started
7246.  
7247. C:\Windows\SysWOW64\taskkill.exe
7248. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7249. Command Line: taskkill /IM UserAccountControlSettings.exe /T /F
7250. MD5: 94bdcafbd584c979b385adee14b08ab4
7251. SHA1: 1985a9d34271cd24d28c15452c822bd4b9b50f90
7252. 2400 1376 77824
7253. Process
7254. Started
7255.  
7256. C:\Windows\SysWOW64\cmd.exe
7257. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7258. Command Line: cmd.exe /c regedit.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7259. MD5: ad7b9c14083b52bc532fba5948342b98
7260. SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5
7261. 2908 1376 302592
7262. Mutex
7263.  
7264. \Sessions\1\BaseNamedObjects\DBWinMutex
7265. 2908
7266. Regkey
7267. Queryvalue
7268.  
7269. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7270. 2908
7271. Process
7272. Started
7273.  
7274. C:\Windows\SysWOW64\regedit.exe
7275. Parentname: C:\Windows\SysWOW64\cmd.exe
7276. Command Line: regedit.exe /s C:\Users\ADMINI~1\AppData\Local\Temp\bnbOYvIjjk5851086389142295130.reg
7277. MD5: 8a4883f5e7ac37444f23279239553878
7278. SHA1: 682214961228453c389854e81e6786df92bbfa67
7279. 1992 2908 398336
7280. Mutex
7281.  
7282. \Sessions\1\BaseNamedObjects\DBWinMutex
7283. 1992
7284. Regkey
7285. Queryvalue
7286.  
7287. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7288. 1992
7289. Regkey
7290. Added
7291.  
7292. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7293. on\Policies\Attachments
7294. 1992
7295. Regkey
7296. Setval
7297.  
7298. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7299. on\Policies\Attachments\"SaveZoneInformation" = 0x00000001
7300. 1992
7301. Regkey
7302. Added
7303.  
7304. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7305. on\Policies\Associations
7306. 1992
7307. Regkey
7308. Setval
7309.  
7310. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7311. on\Policies\Associations\"LowRiskFileTypes" = .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg
7312. ;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;
7313. 1992
7314. Regkey
7315. Deleteval
7316.  
7317. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\"SaveZoneInformatio
7318. n"
7319. 1992
7320. Regkey
7321. Added
7322.  
7323. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Associations
7324. 1992
7325. Regkey
7326. Added
7327.  
7328. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations
7329. 1992
7330. Regkey
7331. Deleteval
7332.  
7333. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\"LowRiskFileTypes"
7334. 1992
7335. Regkey
7336. Setval
7337.  
7338. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Environment\"SEE_MASK_NOZONECHECKS" = 1
7339. 1992
7340. Regkey
7341. Setval
7342.  
7343. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\"SEE_MASK_NOZONECHECKS" =
7344. 1
7345. 1992
7346. Regkey
7347. Added
7348.  
7349. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7350. ons\UserAccountControlSettings.exe
7351. 1992
7352. Regkey
7353. Added
7354.  
7355. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAcco
7356. untControlSettings.exe
7357. 1992
7358. Javacall
7359.  
7360. Method: exec
7361. Params: [ 'taskkill' '/IM' 'Taskmgr.exe' '/T' '/F']
7362. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7363. 1376
7364. Javacall
7365.  
7366. Method: exec
7367. Params: [ 'taskkill' '/IM' 'Taskmgr.exe' '/T' '/F', null, null]
7368. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
7369. 1376
7370. Process
7371. Started
7372.  
7373. C:\Windows\SysWOW64\taskkill.exe
7374. Parentname: C:\Program Files (x86)\Java\jre1.8.0_0\bin\javaw.exe
7375. Command Line: taskkill /IM Taskmgr.exe /T /F
7376. MD5: 94bdcafbd584c979b385adee14b08ab4
7377. SHA1: 1985a9d34271cd24d28c15452c822bd4b9b50f90
7378. 2504 1376 77824
7379. Malicious Alert
7380. Misc Anom
7381.  
7382. Message: Security Tools/Utilities/Policies Tampered/Subverted/Disabled
7383.  
7384. Malicious Alert
7385. Security Tool Activity
7386.  
7387. Message: Security policies tampering
7388.  
7389. Regkey
7390. Setval
7391.  
7392. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAcco
7393. untControlSettings.exe\"debugger" = svchost.exe
7394. 1992
7395. Malicious Alert
7396. Suspicious Persistance Activity
7397.  
7398. Message: Process Setting Image File Execution Options
7399.  
7400. Regkey
7401. Setval
7402.  
7403. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"ConsentPromptBehaviorAd
7404. min" = 0x00000000
7405. 1992
7406. Regkey
7407. Setval
7408.  
7409. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"ConsentPromptBehaviorUs
7410. er" = 0x00000000
7411. 1992
7412. Regkey
7413. Setval
7414.  
7415. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"EnableLUA" = 0x00000000
7416. 1992
7417. Regkey
7418. Setval
7419.  
7420. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"PromptOnSecureDesktop"
7421. = 0x00000000
7422. 1992
7423. Regkey
7424. Added
7425.  
7426. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7427. ons\Taskmgr.exe
7428. 1992
7429. Regkey
7430. Added
7431.  
7432. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.
7433. exe
7434. 1992
7435. Mutex
7436.  
7437. \Sessions\1\BaseNamedObjects\DBWinMutex
7438. 2400
7439. Regkey
7440. Queryvalue
7441.  
7442. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7443. 2400
7444. Regkey
7445. Setval
7446.  
7447. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.
7448. exe\"debugger" = svchost.exe
7449. 1992
7450. Regkey
7451. Added
7452.  
7453. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7454. on\Policies\System
7455. 1992
7456. Regkey
7457. Setval
7458.  
7459. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
7460. on\Policies\System\"DisableTaskMgr" = 0x00000002
7461. 1992
7462. Regkey
7463. Added
7464.  
7465. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
7466. 1992
7467. Regkey
7468. Added
7469.  
7470. \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
7471. 1992
7472. Regkey
7473. Setval
7474.  
7475. \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = 0x00000001
7476. 1992
7477. Regkey
7478. Setval
7479.  
7480. \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR" = 0x00000001
7481. 1992
7482. Regkey
7483. Added
7484.  
7485. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7486. ons\ProcessHacker.exe
7487. 1992
7488. Regkey
7489. Added
7490.  
7491. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessH
7492. acker.exe
7493. 1992
7494. Regkey
7495. Setval
7496.  
7497. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessH
7498. acker.exe\"debugger" = svchost.exe
7499. 1992
7500. Mutex
7501.  
7502. \Sessions\1\BaseNamedObjects\DBWinMutex
7503. 2504
7504. Regkey
7505. Queryvalue
7506.  
7507. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7508. 2504
7509. Regkey
7510. Added
7511.  
7512. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7513. ons\procexp.exe
7514. 1992
7515. Regkey
7516. Added
7517.  
7518. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.
7519. exe
7520. 1992
7521. Regkey
7522. Setval
7523.  
7524. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.
7525. exe\"debugger" = svchost.exe
7526. 1992
7527. Regkey
7528. Added
7529.  
7530. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7531. ons\MSASCui.exe
7532. 1992
7533. Regkey
7534. Added
7535.  
7536. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.
7537. exe
7538. 1992
7539. Regkey
7540. Setval
7541.  
7542. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.
7543. exe\"debugger" = svchost.exe
7544. 1992
7545. Regkey
7546. Added
7547.  
7548. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7549. ons\MsMpEng.exe
7550. 1992
7551. Regkey
7552. Added
7553.  
7554. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.
7555. exe
7556. 1992
7557. Regkey
7558. Setval
7559.  
7560. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.
7561. exe\"debugger" = svchost.exe
7562. 1992
7563. Regkey
7564. Added
7565.  
7566. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7567. ons\MpUXSrv.exe
7568. 1992
7569. Regkey
7570. Added
7571.  
7572. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.
7573. exe
7574. 1992
7575. Regkey
7576. Setval
7577.  
7578. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.
7579. exe\"debugger" = svchost.exe
7580. 1992
7581. Regkey
7582. Added
7583.  
7584. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7585. ons\MpCmdRun.exe
7586. 1992
7587. Regkey
7588. Added
7589.  
7590. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun
7591. .exe
7592. 1992
7593. Regkey
7594. Setval
7595.  
7596. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun
7597. .exe\"debugger" = svchost.exe
7598. 1992
7599. Regkey
7600. Added
7601.  
7602. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7603. ons\NisSrv.exe
7604. 1992
7605. Regkey
7606. Added
7607.  
7608. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.e
7609. xe
7610. 1992
7611. Regkey
7612. Setval
7613.  
7614. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.e
7615. xe\"debugger" = svchost.exe
7616. 1992
7617. Regkey
7618. Queryvalue
7619.  
7620. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7621. 2400
7622. Regkey
7623. Queryvalue
7624.  
7625. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
7626. 2504
7627. Wmiquery
7628.  
7629. Imagepath: C:\Windows\SysWOW64\taskkill.exe
7630. 2400
7631. Regkey
7632. Added
7633.  
7634. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7635. ons\ConfigSecurityPolicy.exe
7636. 1992
7637. Regkey
7638. Added
7639.  
7640. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSe
7641. curityPolicy.exe
7642. 1992
7643. Wmiquery
7644.  
7645. Imagepath: C:\Windows\SysWOW64\taskkill.exe
7646. 2504
7647. Regkey
7648. Setval
7649.  
7650. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSe
7651. curityPolicy.exe\"debugger" = svchost.exe
7652. 1992
7653. Regkey
7654. Setval
7655.  
7656. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.
7657. exe\"debugger" = svchost.exe
7658. 1992
7659. Regkey
7660. Added
7661.  
7662. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7663. ons\wireshark.exe
7664. 1992
7665. Regkey
7666. Added
7667.  
7668. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshar
7669. k.exe
7670. 1992
7671. Regkey
7672. Setval
7673.  
7674. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshar
7675. k.exe\"debugger" = svchost.exe
7676. 1992
7677. Regkey
7678. Added
7679.  
7680. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7681. ons\tshark.exe
7682. 1992
7683. Regkey
7684. Added
7685.  
7686. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.e
7687. xe
7688. 1992
7689. Regkey
7690. Setval
7691.  
7692. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.e
7693. xe\"debugger" = svchost.exe
7694. 1992
7695. Regkey
7696. Added
7697.  
7698. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7699. ons\text2pcap.exe
7700. 1992
7701. Regkey
7702. Added
7703.  
7704. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pca
7705. p.exe
7706. 1992
7707. Regkey
7708. Setval
7709.  
7710. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pca
7711. p.exe\"debugger" = svchost.exe
7712. 1992
7713. Regkey
7714. Added
7715.  
7716. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7717. ons\rawshark.exe
7718. 1992
7719. Regkey
7720. Added
7721.  
7722. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark
7723. .exe
7724. 1992
7725. Regkey
7726. Setval
7727.  
7728. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark
7729. .exe\"debugger" = svchost.exe
7730. 1992
7731. Regkey
7732. Added
7733.  
7734. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7735. ons\mergecap.exe
7736. 1992
7737. Regkey
7738. Added
7739.  
7740. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap
7741. .exe
7742. 1992
7743. Regkey
7744. Setval
7745.  
7746. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap
7747. .exe\"debugger" = svchost.exe
7748. 1992
7749. Regkey
7750. Added
7751.  
7752. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7753. ons\editcap.exe
7754. 1992
7755. Regkey
7756. Added
7757.  
7758. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.
7759. exe
7760. 1992
7761. Regkey
7762. Setval
7763.  
7764. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.
7765. exe\"debugger" = svchost.exe
7766. 1992
7767. Regkey
7768. Added
7769.  
7770. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7771. ons\dumpcap.exe
7772. 1992
7773. Regkey
7774. Added
7775.  
7776. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.
7777. exe
7778. 1992
7779. Regkey
7780. Setval
7781.  
7782. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.
7783. exe\"debugger" = svchost.exe
7784. 1992
7785. Regkey
7786. Added
7787.  
7788. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7789. ons\capinfos.exe
7790. 1992
7791. Regkey
7792. Added
7793.  
7794. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos
7795. .exe
7796. 1992
7797. Regkey
7798. Setval
7799.  
7800. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos
7801. .exe\"debugger" = svchost.exe
7802. 1992
7803. Regkey
7804. Added
7805.  
7806. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7807. ons\mbam.exe
7808. 1992
7809. Regkey
7810. Added
7811.  
7812. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
7813. 1992
7814. Regkey
7815. Setval
7816.  
7817. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
7818. \"debugger" = svchost.exe
7819. 1992
7820. Regkey
7821. Added
7822.  
7823. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7824. ons\mbamscheduler.exe
7825. 1992
7826. Regkey
7827. Added
7828.  
7829. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamsche
7830. duler.exe
7831. 1992
7832. Regkey
7833. Setval
7834.  
7835. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamsche
7836. duler.exe\"debugger" = svchost.exe
7837. 1992
7838. Regkey
7839. Added
7840.  
7841. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7842. ons\mbamservice.exe
7843. 1992
7844. Regkey
7845. Added
7846.  
7847. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamserv
7848. ice.exe
7849. 1992
7850. Regkey
7851. Setval
7852.  
7853. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamserv
7854. ice.exe\"debugger" = svchost.exe
7855. 1992
7856. Regkey
7857. Added
7858.  
7859. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7860. ons\AdAwareService.exe
7861. 1992
7862. Regkey
7863. Added
7864.  
7865. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareS
7866. ervice.exe
7867. 1992
7868. Regkey
7869. Setval
7870.  
7871. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareS
7872. ervice.exe\"debugger" = svchost.exe
7873. 1992
7874. Regkey
7875. Added
7876.  
7877. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7878. ons\AdAwareTray.exe
7879. 1992
7880. Regkey
7881. Added
7882.  
7883. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareT
7884. ray.exe
7885. 1992
7886. Regkey
7887. Setval
7888.  
7889. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareT
7890. ray.exe\"debugger" = svchost.exe
7891. 1992
7892. Regkey
7893. Added
7894.  
7895. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7896. ons\WebCompanion.exe
7897. 1992
7898. Regkey
7899. Added
7900.  
7901. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebCompa
7902. nion.exe
7903. 1992
7904. Regkey
7905. Setval
7906.  
7907. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebCompa
7908. nion.exe\"debugger" = svchost.exe
7909. 1992
7910. Regkey
7911. Added
7912.  
7913. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7914. ons\AdAwareDesktop.exe
7915. 1992
7916. Regkey
7917. Added
7918.  
7919. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareD
7920. esktop.exe
7921. 1992
7922. Regkey
7923. Setval
7924.  
7925. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareD
7926. esktop.exe\"debugger" = svchost.exe
7927. 1992
7928. Regkey
7929. Added
7930.  
7931. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7932. ons\V3Main.exe
7933. 1992
7934. Regkey
7935. Added
7936.  
7937. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.e
7938. xe
7939. 1992
7940. Regkey
7941. Setval
7942.  
7943. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.e
7944. xe\"debugger" = svchost.exe
7945. 1992
7946. Regkey
7947. Added
7948.  
7949. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7950. ons\V3Svc.exe
7951. 1992
7952. Regkey
7953. Added
7954.  
7955. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Svc.ex
7956. e
7957. 1992
7958. Regkey
7959. Setval
7960.  
7961. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Svc.ex
7962. e\"debugger" = svchost.exe
7963. 1992
7964. Regkey
7965. Added
7966.  
7967. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7968. ons\V3Up.exe
7969. 1992
7970. Regkey
7971. Added
7972.  
7973. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe
7974. 1992
7975. Regkey
7976. Setval
7977.  
7978. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe
7979. \"debugger" = svchost.exe
7980. 1992
7981. Regkey
7982. Added
7983.  
7984. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
7985. ons\V3SP.exe
7986. 1992
7987. Regkey
7988. Added
7989.  
7990. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe
7991. 1992
7992. Regkey
7993. Setval
7994.  
7995. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe
7996. \"debugger" = svchost.exe
7997. 1992
7998. Regkey
7999. Added
8000.  
8001. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8002. ons\V3Proxy.exe
8003. 1992
8004. Regkey
8005. Added
8006.  
8007. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Proxy.
8008. exe
8009. 1992
8010. Regkey
8011. Setval
8012.  
8013. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Proxy.
8014. exe\"debugger" = svchost.exe
8015. 1992
8016. Regkey
8017. Added
8018.  
8019. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8020. ons\V3Medic.exe
8021. 1992
8022. Regkey
8023. Added
8024.  
8025. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.
8026. exe
8027. 1992
8028. Regkey
8029. Setval
8030.  
8031. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.
8032. exe\"debugger" = svchost.exe
8033. 1992
8034. Regkey
8035. Added
8036.  
8037. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8038. ons\BgScan.exe
8039. 1992
8040. Regkey
8041. Added
8042.  
8043. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BgScan.e
8044. xe
8045. 1992
8046. Regkey
8047. Setval
8048.  
8049. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BgScan.e
8050. xe\"debugger" = svchost.exe
8051. 1992
8052. Regkey
8053. Added
8054.  
8055. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8056. ons\BullGuard.exe
8057. 1992
8058. Regkey
8059. Added
8060.  
8061. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8062. d.exe
8063. 1992
8064. Regkey
8065. Setval
8066.  
8067. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8068. d.exe\"debugger" = svchost.exe
8069. 1992
8070. Regkey
8071. Added
8072.  
8073. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8074. ons\BullGuardBhvScanner.exe
8075. 1992
8076. Regkey
8077. Added
8078.  
8079. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8080. dBhvScanner.exe
8081. 1992
8082. Regkey
8083. Setval
8084.  
8085. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8086. dBhvScanner.exe\"debugger" = svchost.exe
8087. 1992
8088. Regkey
8089. Added
8090.  
8091. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8092. ons\BullGuarScanner.exe
8093. 1992
8094. Regkey
8095. Added
8096.  
8097. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8098. Scanner.exe
8099. 1992
8100. Regkey
8101. Setval
8102.  
8103. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8104. Scanner.exe\"debugger" = svchost.exe
8105. 1992
8106. Regkey
8107. Added
8108.  
8109. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8110. ons\LittleHook.exe
8111. 1992
8112. Regkey
8113. Added
8114.  
8115. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LittleHo
8116. ok.exe
8117. 1992
8118. Regkey
8119. Setval
8120.  
8121. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LittleHo
8122. ok.exe\"debugger" = svchost.exe
8123. 1992
8124. Regkey
8125. Added
8126.  
8127. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8128. ons\BullGuardUpdate.exe
8129. 1992
8130. Regkey
8131. Added
8132.  
8133. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8134. dUpdate.exe
8135. 1992
8136. Regkey
8137. Setval
8138.  
8139. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuar
8140. dUpdate.exe\"debugger" = svchost.exe
8141. 1992
8142. Regkey
8143. Added
8144.  
8145. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8146. ons\clamscan.exe
8147. 1992
8148. Regkey
8149. Added
8150.  
8151. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan
8152. .exe
8153. 1992
8154. Regkey
8155. Setval
8156.  
8157. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan
8158. .exe\"debugger" = svchost.exe
8159. 1992
8160. Regkey
8161. Added
8162.  
8163. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8164. ons\ClamTray.exe
8165. 1992
8166. Regkey
8167. Added
8168.  
8169. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamTray
8170. .exe
8171. 1992
8172. Regkey
8173. Setval
8174.  
8175. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamTray
8176. .exe\"debugger" = svchost.exe
8177. 1992
8178. Regkey
8179. Added
8180.  
8181. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8182. ons\ClamWin.exe
8183. 1992
8184. Regkey
8185. Added
8186.  
8187. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.
8188. exe
8189. 1992
8190. Regkey
8191. Setval
8192.  
8193. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.
8194. exe\"debugger" = svchost.exe
8195. 1992
8196. Regkey
8197. Added
8198.  
8199. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8200. ons\cis.exe
8201. 1992
8202. Regkey
8203. Added
8204.  
8205. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe
8206. 1992
8207. Regkey
8208. Setval
8209.  
8210. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe\
8211. "debugger" = svchost.exe
8212. 1992
8213. Regkey
8214. Added
8215.  
8216. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8217. ons\CisTray.exe
8218. 1992
8219. Regkey
8220. Added
8221.  
8222. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.
8223. exe
8224. 1992
8225. Regkey
8226. Setval
8227.  
8228. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.
8229. exe\"debugger" = svchost.exe
8230. 1992
8231. Regkey
8232. Added
8233.  
8234. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8235. ons\cmdagent.exe
8236. 1992
8237. Regkey
8238. Added
8239.  
8240. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent
8241. .exe
8242. 1992
8243. Regkey
8244. Setval
8245.  
8246. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent
8247. .exe\"debugger" = svchost.exe
8248. 1992
8249. Regkey
8250. Added
8251.  
8252. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8253. ons\cavwp.exe
8254. 1992
8255. Regkey
8256. Added
8257.  
8258. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.ex
8259. e
8260. 1992
8261. Regkey
8262. Setval
8263.  
8264. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.ex
8265. e\"debugger" = svchost.exe
8266. 1992
8267. Regkey
8268. Added
8269.  
8270. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8271. ons\dragon_updater.exe
8272. 1992
8273. Regkey
8274. Added
8275.  
8276. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dragon_u
8277. pdater.exe
8278. 1992
8279. Regkey
8280. Setval
8281.  
8282. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dragon_u
8283. pdater.exe\"debugger" = svchost.exe
8284. 1992
8285. Regkey
8286. Added
8287.  
8288. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8289. ons\MWAGENT.EXE
8290. 1992
8291. Regkey
8292. Added
8293.  
8294. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWAGENT.
8295. EXE
8296. 1992
8297. Regkey
8298. Setval
8299.  
8300. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWAGENT.
8301. EXE\"debugger" = svchost.exe
8302. 1992
8303. Regkey
8304. Added
8305.  
8306. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8307. ons\MWASER.EXE
8308. 1992
8309. Regkey
8310. Added
8311.  
8312. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.E
8313. XE
8314. 1992
8315. Regkey
8316. Setval
8317.  
8318. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.E
8319. XE\"debugger" = svchost.exe
8320. 1992
8321. Regkey
8322. Added
8323.  
8324. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8325. ons\CONSCTLX.EXE
8326. 1992
8327. Regkey
8328. Added
8329.  
8330. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONSCTLX
8331. .EXE
8332. 1992
8333. Regkey
8334. Setval
8335.  
8336. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONSCTLX
8337. .EXE\"debugger" = svchost.exe
8338. 1992
8339. Regkey
8340. Added
8341.  
8342. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8343. ons\avpmapp.exe
8344. 1992
8345. Regkey
8346. Added
8347.  
8348. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.
8349. exe
8350. 1992
8351. Regkey
8352. Setval
8353.  
8354. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.
8355. exe\"debugger" = svchost.exe
8356. 1992
8357. Regkey
8358. Added
8359.  
8360. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8361. ons\econceal.exe
8362. 1992
8363. Regkey
8364. Added
8365.  
8366. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal
8367. .exe
8368. 1992
8369. Regkey
8370. Setval
8371.  
8372. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal
8373. .exe\"debugger" = svchost.exe
8374. 1992
8375. Regkey
8376. Added
8377.  
8378. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8379. ons\escanmon.exe
8380. 1992
8381. Regkey
8382. Added
8383.  
8384. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon
8385. .exe
8386. 1992
8387. Regkey
8388. Setval
8389.  
8390. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon
8391. .exe\"debugger" = svchost.exe
8392. 1992
8393. Regkey
8394. Added
8395.  
8396. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8397. ons\escanpro.exe
8398. 1992
8399. Regkey
8400. Added
8401.  
8402. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro
8403. .exe
8404. 1992
8405. Regkey
8406. Setval
8407.  
8408. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro
8409. .exe\"debugger" = svchost.exe
8410. 1992
8411. Regkey
8412. Added
8413.  
8414. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8415. ons\TRAYSSER.EXE
8416. 1992
8417. Regkey
8418. Added
8419.  
8420. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER
8421. .EXE
8422. 1992
8423. Regkey
8424. Setval
8425.  
8426. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER
8427. .EXE\"debugger" = svchost.exe
8428. 1992
8429. Regkey
8430. Added
8431.  
8432. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8433. ons\TRAYICOS.EXE
8434. 1992
8435. Regkey
8436. Added
8437.  
8438. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS
8439. .EXE
8440. 1992
8441. Regkey
8442. Setval
8443.  
8444. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS
8445. .EXE\"debugger" = svchost.exe
8446. 1992
8447. Regkey
8448. Added
8449.  
8450. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8451. ons\econser.exe
8452. 1992
8453. Regkey
8454. Added
8455.  
8456. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.
8457. exe
8458. 1992
8459. Regkey
8460. Setval
8461.  
8462. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.
8463. exe\"debugger" = svchost.exe
8464. 1992
8465. Regkey
8466. Added
8467.  
8468. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8469. ons\VIEWTCP.EXE
8470. 1992
8471. Regkey
8472. Added
8473.  
8474. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIEWTCP.
8475. EXE
8476. 1992
8477. Regkey
8478. Setval
8479.  
8480. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIEWTCP.
8481. EXE\"debugger" = svchost.exe
8482. 1992
8483. Regkey
8484. Added
8485.  
8486. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8487. ons\FSHDLL64.exe
8488. 1992
8489. Regkey
8490. Added
8491.  
8492. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64
8493. .exe
8494. 1992
8495. Regkey
8496. Setval
8497.  
8498. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64
8499. .exe\"debugger" = svchost.exe
8500. 1992
8501. Regkey
8502. Added
8503.  
8504. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8505. ons\fsgk32.exe
8506. 1992
8507. Regkey
8508. Added
8509.  
8510. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.e
8511. xe
8512. 1992
8513. Regkey
8514. Setval
8515.  
8516. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.e
8517. xe\"debugger" = svchost.exe
8518. 1992
8519. Regkey
8520. Added
8521.  
8522. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8523. ons\fshoster32.exe
8524. 1992
8525. Regkey
8526. Added
8527.  
8528. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster
8529. 32.exe
8530. 1992
8531. Regkey
8532. Setval
8533.  
8534. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster
8535. 32.exe\"debugger" = svchost.exe
8536. 1992
8537. Regkey
8538. Added
8539.  
8540. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8541. ons\FSMA32.EXE
8542. 1992
8543. Regkey
8544. Added
8545.  
8546. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.E
8547. XE
8548. 1992
8549. Regkey
8550. Setval
8551.  
8552. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.E
8553. XE\"debugger" = svchost.exe
8554. 1992
8555. Regkey
8556. Added
8557.  
8558. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8559. ons\fsorsp.exe
8560. 1992
8561. Regkey
8562. Added
8563.  
8564. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsorsp.e
8565. xe
8566. 1992
8567. Regkey
8568. Setval
8569.  
8570. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsorsp.e
8571. xe\"debugger" = svchost.exe
8572. 1992
8573. Regkey
8574. Added
8575.  
8576. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8577. ons\fssm32.exe
8578. 1992
8579. Regkey
8580. Added
8581.  
8582. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.e
8583. xe
8584. 1992
8585. Regkey
8586. Setval
8587.  
8588. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.e
8589. xe\"debugger" = svchost.exe
8590. 1992
8591. Regkey
8592. Added
8593.  
8594. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8595. ons\FSM32.EXE
8596. 1992
8597. Regkey
8598. Added
8599.  
8600. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSM32.EX
8601. E
8602. 1992
8603. Regkey
8604. Setval
8605.  
8606. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSM32.EX
8607. E\"debugger" = svchost.exe
8608. 1992
8609. Regkey
8610. Added
8611.  
8612. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8613. ons\trigger.exe
8614. 1992
8615. Regkey
8616. Added
8617.  
8618. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trigger.
8619. exe
8620. 1992
8621. Regkey
8622. Setval
8623.  
8624. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trigger.
8625. exe\"debugger" = svchost.exe
8626. 1992
8627. Regkey
8628. Added
8629.  
8630. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8631. ons\FProtTray.exe
8632. 1992
8633. Regkey
8634. Added
8635.  
8636. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTra
8637. y.exe
8638. 1992
8639. Regkey
8640. Setval
8641.  
8642. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTra
8643. y.exe\"debugger" = svchost.exe
8644. 1992
8645. Regkey
8646. Added
8647.  
8648. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8649. ons\FPWin.exe
8650. 1992
8651. Regkey
8652. Added
8653.  
8654. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWin.ex
8655. e
8656. 1992
8657. Regkey
8658. Setval
8659.  
8660. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWin.ex
8661. e\"debugger" = svchost.exe
8662. 1992
8663. Regkey
8664. Added
8665.  
8666. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8667. ons\FPAVServer.exe
8668. 1992
8669. Regkey
8670. Added
8671.  
8672. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServ
8673. er.exe
8674. 1992
8675. Regkey
8676. Setval
8677.  
8678. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServ
8679. er.exe\"debugger" = svchost.exe
8680. 1992
8681. Regkey
8682. Added
8683.  
8684. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8685. ons\AVK.exe
8686. 1992
8687. Regkey
8688. Added
8689.  
8690. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe
8691. 1992
8692. Regkey
8693. Setval
8694.  
8695. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe\
8696. "debugger" = svchost.exe
8697. 1992
8698. Regkey
8699. Added
8700.  
8701. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8702. ons\GdBgInx64.exe
8703. 1992
8704. Regkey
8705. Added
8706.  
8707. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GdBgInx6
8708. 4.exe
8709. 1992
8710. Regkey
8711. Setval
8712.  
8713. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GdBgInx6
8714. 4.exe\"debugger" = svchost.exe
8715. 1992
8716. Regkey
8717. Added
8718.  
8719. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8720. ons\AVKProxy.exe
8721. 1992
8722. Regkey
8723. Added
8724.  
8725. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKProxy
8726. .exe
8727. 1992
8728. Regkey
8729. Setval
8730.  
8731. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKProxy
8732. .exe\"debugger" = svchost.exe
8733. 1992
8734. Regkey
8735. Added
8736.  
8737. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8738. ons\GDScan.exe
8739. 1992
8740. Regkey
8741. Added
8742.  
8743. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.e
8744. xe
8745. 1992
8746. Regkey
8747. Setval
8748.  
8749. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.e
8750. xe\"debugger" = svchost.exe
8751. 1992
8752. Regkey
8753. Added
8754.  
8755. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8756. ons\AVKWCtlx64.exe
8757. 1992
8758. Regkey
8759. Added
8760.  
8761. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx
8762. 64.exe
8763. 1992
8764. Regkey
8765. Setval
8766.  
8767. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx
8768. 64.exe\"debugger" = svchost.exe
8769. 1992
8770. Regkey
8771. Added
8772.  
8773. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8774. ons\AVKService.exe
8775. 1992
8776. Regkey
8777. Added
8778.  
8779. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKServi
8780. ce.exe
8781. 1992
8782. Regkey
8783. Setval
8784.  
8785. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKServi
8786. ce.exe\"debugger" = svchost.exe
8787. 1992
8788. Regkey
8789. Added
8790.  
8791. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8792. ons\AVKTray.exe
8793. 1992
8794. Regkey
8795. Added
8796.  
8797. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.
8798. exe
8799. 1992
8800. Regkey
8801. Setval
8802.  
8803. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.
8804. exe\"debugger" = svchost.exe
8805. 1992
8806. Regkey
8807. Added
8808.  
8809. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8810. ons\GDKBFltExe32.exe
8811. 1992
8812. Regkey
8813. Added
8814.  
8815. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltE
8816. xe32.exe
8817. 1992
8818. Regkey
8819. Setval
8820.  
8821. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltE
8822. xe32.exe\"debugger" = svchost.exe
8823. 1992
8824. Regkey
8825. Added
8826.  
8827. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8828. ons\GDSC.exe
8829. 1992
8830. Regkey
8831. Added
8832.  
8833. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe
8834. 1992
8835. Regkey
8836. Setval
8837.  
8838. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe
8839. \"debugger" = svchost.exe
8840. 1992
8841. Regkey
8842. Added
8843.  
8844. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8845. ons\virusutilities.exe
8846. 1992
8847. Regkey
8848. Added
8849.  
8850. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusuti
8851. lities.exe
8852. 1992
8853. Regkey
8854. Setval
8855.  
8856. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusuti
8857. lities.exe\"debugger" = svchost.exe
8858. 1992
8859. Regkey
8860. Added
8861.  
8862. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8863. ons\guardxservice.exe
8864. 1992
8865. Regkey
8866. Added
8867.  
8868. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxse
8869. rvice.exe
8870. 1992
8871. Regkey
8872. Setval
8873.  
8874. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxse
8875. rvice.exe\"debugger" = svchost.exe
8876. 1992
8877. Regkey
8878. Added
8879.  
8880. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8881. ons\guardxkickoff_x64.exe
8882. 1992
8883. Regkey
8884. Added
8885.  
8886. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxki
8887. ckoff_x64.exe
8888. 1992
8889. Regkey
8890. Setval
8891.  
8892. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxki
8893. ckoff_x64.exe\"debugger" = svchost.exe
8894. 1992
8895. Regkey
8896. Added
8897.  
8898. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8899. ons\iptray.exe
8900. 1992
8901. Regkey
8902. Added
8903.  
8904. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iptray.e
8905. xe
8906. 1992
8907. Regkey
8908. Setval
8909.  
8910. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iptray.e
8911. xe\"debugger" = svchost.exe
8912. 1992
8913. Regkey
8914. Added
8915.  
8916. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8917. ons\freshclam.exe
8918. 1992
8919. Regkey
8920. Added
8921.  
8922. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshcla
8923. m.exe
8924. 1992
8925. Regkey
8926. Setval
8927.  
8928. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshcla
8929. m.exe\"debugger" = svchost.exe
8930. 1992
8931. Regkey
8932. Added
8933.  
8934. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8935. ons\freshclamwrap.exe
8936. 1992
8937. Regkey
8938. Added
8939.  
8940. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshcla
8941. mwrap.exe
8942. 1992
8943. Regkey
8944. Setval
8945.  
8946. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshcla
8947. mwrap.exe\"debugger" = svchost.exe
8948. 1992
8949. Regkey
8950. Added
8951.  
8952. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8953. ons\K7RTScan.exe
8954. 1992
8955. Regkey
8956. Added
8957.  
8958. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan
8959. .exe
8960. 1992
8961. Regkey
8962. Setval
8963.  
8964. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan
8965. .exe\"debugger" = svchost.exe
8966. 1992
8967. Regkey
8968. Added
8969.  
8970. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8971. ons\K7FWSrvc.exe
8972. 1992
8973. Regkey
8974. Added
8975.  
8976. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc
8977. .exe
8978. 1992
8979. Regkey
8980. Setval
8981.  
8982. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc
8983. .exe\"debugger" = svchost.exe
8984. 1992
8985. Regkey
8986. Added
8987.  
8988. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
8989. ons\K7PSSrvc.exe
8990. 1992
8991. Regkey
8992. Added
8993.  
8994. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc
8995. .exe
8996. 1992
8997. Regkey
8998. Setval
8999.  
9000. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc
9001. .exe\"debugger" = svchost.exe
9002. 1992
9003. Regkey
9004. Added
9005.  
9006. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9007. ons\K7EmlPxy.EXE
9008. 1992
9009. Regkey
9010. Added
9011.  
9012. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy
9013. .EXE
9014. 1992
9015. Regkey
9016. Setval
9017.  
9018. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy
9019. .EXE\"debugger" = svchost.exe
9020. 1992
9021. Regkey
9022. Added
9023.  
9024. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9025. ons\K7TSecurity.exe
9026. 1992
9027. Regkey
9028. Added
9029.  
9030. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecur
9031. ity.exe
9032. 1992
9033. Regkey
9034. Setval
9035.  
9036. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecur
9037. ity.exe\"debugger" = svchost.exe
9038. 1992
9039. Regkey
9040. Added
9041.  
9042. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9043. ons\K7AVScan.exe
9044. 1992
9045. Regkey
9046. Added
9047.  
9048. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7AVScan
9049. .exe
9050. 1992
9051. Regkey
9052. Setval
9053.  
9054. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7AVScan
9055. .exe\"debugger" = svchost.exe
9056. 1992
9057. Regkey
9058. Added
9059.  
9060. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9061. ons\K7CrvSvc.exe
9062. 1992
9063. Regkey
9064. Added
9065.  
9066. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc
9067. .exe
9068. 1992
9069. Regkey
9070. Setval
9071.  
9072. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc
9073. .exe\"debugger" = svchost.exe
9074. 1992
9075. Regkey
9076. Added
9077.  
9078. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9079. ons\K7SysMon.Exe
9080. 1992
9081. Regkey
9082. Added
9083.  
9084. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon
9085. .Exe
9086. 1992
9087. Regkey
9088. Setval
9089.  
9090. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon
9091. .Exe\"debugger" = svchost.exe
9092. 1992
9093. Regkey
9094. Added
9095.  
9096. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9097. ons\K7TSMain.exe
9098. 1992
9099. Regkey
9100. Added
9101.  
9102. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain
9103. .exe
9104. 1992
9105. Regkey
9106. Setval
9107.  
9108. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain
9109. .exe\"debugger" = svchost.exe
9110. 1992
9111. Regkey
9112. Added
9113.  
9114. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9115. ons\K7TSMngr.exe
9116. 1992
9117. Regkey
9118. Added
9119.  
9120. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr
9121. .exe
9122. 1992
9123. Regkey
9124. Setval
9125.  
9126. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr
9127. .exe\"debugger" = svchost.exe
9128. 1992
9129. Regkey
9130. Added
9131.  
9132. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9133. ons\nanosvc.exe
9134. 1992
9135. Regkey
9136. Added
9137.  
9138. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.
9139. exe
9140. 1992
9141. Regkey
9142. Setval
9143.  
9144. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.
9145. exe\"debugger" = svchost.exe
9146. 1992
9147. Regkey
9148. Added
9149.  
9150. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9151. ons\nanoav.exe
9152. 1992
9153. Regkey
9154. Added
9155.  
9156. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanoav.e
9157. xe
9158. 1992
9159. Regkey
9160. Setval
9161.  
9162. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanoav.e
9163. xe\"debugger" = svchost.exe
9164. 1992
9165. Regkey
9166. Added
9167.  
9168. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9169. ons\nnf.exe
9170. 1992
9171. Regkey
9172. Added
9173.  
9174. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe
9175. 1992
9176. Regkey
9177. Setval
9178.  
9179. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe\
9180. "debugger" = svchost.exe
9181. 1992
9182. Regkey
9183. Added
9184.  
9185. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9186. ons\nvcsvc.exe
9187. 1992
9188. Regkey
9189. Added
9190.  
9191. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsvc.e
9192. xe
9193. 1992
9194. Regkey
9195. Setval
9196.  
9197. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsvc.e
9198. xe\"debugger" = svchost.exe
9199. 1992
9200. Regkey
9201. Added
9202.  
9203. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9204. ons\nbrowser.exe
9205. 1992
9206. Regkey
9207. Added
9208.  
9209. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser
9210. .exe
9211. 1992
9212. Regkey
9213. Setval
9214.  
9215. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser
9216. .exe\"debugger" = svchost.exe
9217. 1992
9218. Regkey
9219. Added
9220.  
9221. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9222. ons\nseupdatesvc.exe
9223. 1992
9224. Regkey
9225. Added
9226.  
9227. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdat
9228. esvc.exe
9229. 1992
9230. Regkey
9231. Setval
9232.  
9233. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdat
9234. esvc.exe\"debugger" = svchost.exe
9235. 1992
9236. Regkey
9237. Added
9238.  
9239. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9240. ons\nfservice.exe
9241. 1992
9242. Regkey
9243. Added
9244.  
9245. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservic
9246. e.exe
9247. 1992
9248. Regkey
9249. Setval
9250.  
9251. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservic
9252. e.exe\"debugger" = svchost.exe
9253. 1992
9254. Regkey
9255. Added
9256.  
9257. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9258. ons\nwscmon.exe
9259. 1992
9260. Regkey
9261. Added
9262.  
9263. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwscmon.
9264. exe
9265. 1992
9266. Regkey
9267. Setval
9268.  
9269. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwscmon.
9270. exe\"debugger" = svchost.exe
9271. 1992
9272. Regkey
9273. Added
9274.  
9275. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9276. ons\njeeves2.exe
9277. 1992
9278. Regkey
9279. Added
9280.  
9281. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves2
9282. .exe
9283. 1992
9284. Regkey
9285. Setval
9286.  
9287. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves2
9288. .exe\"debugger" = svchost.exe
9289. 1992
9290. Regkey
9291. Added
9292.  
9293. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9294. ons\nvcod.exe
9295. 1992
9296. Regkey
9297. Added
9298.  
9299. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.ex
9300. e
9301. 1992
9302. Regkey
9303. Setval
9304.  
9305. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.ex
9306. e\"debugger" = svchost.exe
9307. 1992
9308. Regkey
9309. Added
9310.  
9311. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9312. ons\nvoy.exe
9313. 1992
9314. Regkey
9315. Added
9316.  
9317. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe
9318. 1992
9319. Regkey
9320. Setval
9321.  
9322. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe
9323. \"debugger" = svchost.exe
9324. 1992
9325. Regkey
9326. Added
9327.  
9328. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9329. ons\zlhh.exe
9330. 1992
9331. Regkey
9332. Added
9333.  
9334. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlhh.exe
9335. 1992
9336. Regkey
9337. Setval
9338.  
9339. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlhh.exe
9340. \"debugger" = svchost.exe
9341. 1992
9342. Regkey
9343. Added
9344.  
9345. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9346. ons\Zlh.exe
9347. 1992
9348. Regkey
9349. Added
9350.  
9351. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe
9352. 1992
9353. Regkey
9354. Setval
9355.  
9356. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\
9357. "debugger" = svchost.exe
9358. 1992
9359. Regkey
9360. Added
9361.  
9362. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9363. ons\nprosec.exe
9364. 1992
9365. Regkey
9366. Added
9367.  
9368. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.
9369. exe
9370. 1992
9371. Regkey
9372. Setval
9373.  
9374. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.
9375. exe\"debugger" = svchost.exe
9376. 1992
9377. Regkey
9378. Added
9379.  
9380. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9381. ons\Zanda.exe
9382. 1992
9383. Regkey
9384. Added
9385.  
9386. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.ex
9387. e
9388. 1992
9389. Regkey
9390. Setval
9391.  
9392. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.ex
9393. e\"debugger" = svchost.exe
9394. 1992
9395. Regkey
9396. Added
9397.  
9398. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9399. ons\NS.exe
9400. 1992
9401. Regkey
9402. Added
9403.  
9404. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe
9405. 1992
9406. Regkey
9407. Setval
9408.  
9409. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe\"
9410. debugger" = svchost.exe
9411. 1992
9412. Regkey
9413. Added
9414.  
9415. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9416. ons\acs.exe
9417. 1992
9418. Regkey
9419. Added
9420.  
9421. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe
9422. 1992
9423. Regkey
9424. Setval
9425.  
9426. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\
9427. "debugger" = svchost.exe
9428. 1992
9429. Regkey
9430. Added
9431.  
9432. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9433. ons\op_mon.exe
9434. 1992
9435. Regkey
9436. Added
9437.  
9438. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.e
9439. xe
9440. 1992
9441. Regkey
9442. Setval
9443.  
9444. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.e
9445. xe\"debugger" = svchost.exe
9446. 1992
9447. Regkey
9448. Added
9449.  
9450. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9451. ons\PSANHost.exe
9452. 1992
9453. Regkey
9454. Added
9455.  
9456. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost
9457. .exe
9458. 1992
9459. Regkey
9460. Setval
9461.  
9462. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost
9463. .exe\"debugger" = svchost.exe
9464. 1992
9465. Regkey
9466. Added
9467.  
9468. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9469. ons\PSUAMain.exe
9470. 1992
9471. Regkey
9472. Added
9473.  
9474. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain
9475. .exe
9476. 1992
9477. Regkey
9478. Setval
9479.  
9480. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain
9481. .exe\"debugger" = svchost.exe
9482. 1992
9483. Regkey
9484. Added
9485.  
9486. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9487. ons\PSUAService.exe
9488. 1992
9489. Regkey
9490. Added
9491.  
9492. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAServ
9493. ice.exe
9494. 1992
9495. Regkey
9496. Setval
9497.  
9498. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAServ
9499. ice.exe\"debugger" = svchost.exe
9500. 1992
9501. Regkey
9502. Added
9503.  
9504. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9505. ons\AgentSvc.exe
9506. 1992
9507. Regkey
9508. Added
9509.  
9510. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc
9511. .exe
9512. 1992
9513. Regkey
9514. Setval
9515.  
9516. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc
9517. .exe\"debugger" = svchost.exe
9518. 1992
9519. Regkey
9520. Added
9521.  
9522. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9523. ons\BDSSVC.EXE
9524. 1992
9525. Regkey
9526. Added
9527.  
9528. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.E
9529. XE
9530. 1992
9531. Regkey
9532. Setval
9533.  
9534. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.E
9535. XE\"debugger" = svchost.exe
9536. 1992
9537. Regkey
9538. Added
9539.  
9540. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9541. ons\EMLPROXY.EXE
9542. 1992
9543. Regkey
9544. Added
9545.  
9546. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY
9547. .EXE
9548. 1992
9549. Regkey
9550. Setval
9551.  
9552. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY
9553. .EXE\"debugger" = svchost.exe
9554. 1992
9555. Regkey
9556. Added
9557.  
9558. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9559. ons\OPSSVC.EXE
9560. 1992
9561. Regkey
9562. Added
9563.  
9564. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.E
9565. XE
9566. 1992
9567. Regkey
9568. Setval
9569.  
9570. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.E
9571. XE\"debugger" = svchost.exe
9572. 1992
9573. Regkey
9574. Added
9575.  
9576. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9577. ons\ONLINENT.EXE
9578. 1992
9579. Regkey
9580. Added
9581.  
9582. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT
9583. .EXE
9584. 1992
9585. Regkey
9586. Setval
9587.  
9588. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT
9589. .EXE\"debugger" = svchost.exe
9590. 1992
9591. Regkey
9592. Added
9593.  
9594. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9595. ons\QUHLPSVC.EXE
9596. 1992
9597. Regkey
9598. Added
9599.  
9600. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QUHLPSVC
9601. .EXE
9602. 1992
9603. Regkey
9604. Setval
9605.  
9606. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QUHLPSVC
9607. .EXE\"debugger" = svchost.exe
9608. 1992
9609. Regkey
9610. Added
9611.  
9612. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9613. ons\SAPISSVC.EXE
9614. 1992
9615. Regkey
9616. Added
9617.  
9618. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC
9619. .EXE
9620. 1992
9621. Regkey
9622. Setval
9623.  
9624. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC
9625. .EXE\"debugger" = svchost.exe
9626. 1992
9627. Regkey
9628. Added
9629.  
9630. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9631. ons\SCANNER.EXE
9632. 1992
9633. Regkey
9634. Added
9635.  
9636. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.
9637. EXE
9638. 1992
9639. Regkey
9640. Setval
9641.  
9642. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.
9643. EXE\"debugger" = svchost.exe
9644. 1992
9645. Regkey
9646. Added
9647.  
9648. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9649. ons\SCANWSCS.EXE
9650. 1992
9651. Regkey
9652. Added
9653.  
9654. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS
9655. .EXE
9656. 1992
9657. Regkey
9658. Setval
9659.  
9660. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS
9661. .EXE\"debugger" = svchost.exe
9662. 1992
9663. Regkey
9664. Added
9665.  
9666. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9667. ons\scproxysrv.exe
9668. 1992
9669. Regkey
9670. Added
9671.  
9672. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxys
9673. rv.exe
9674. 1992
9675. Regkey
9676. Setval
9677.  
9678. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxys
9679. rv.exe\"debugger" = svchost.exe
9680. 1992
9681. Regkey
9682. Added
9683.  
9684. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9685. ons\ScSecSvc.exe
9686. 1992
9687. Regkey
9688. Added
9689.  
9690. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc
9691. .exe
9692. 1992
9693. Regkey
9694. Setval
9695.  
9696. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc
9697. .exe\"debugger" = svchost.exe
9698. 1992
9699. Regkey
9700. Added
9701.  
9702. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9703. ons\SUPERAntiSpyware.exe
9704. 1992
9705. Regkey
9706. Added
9707.  
9708. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAnt
9709. iSpyware.exe
9710. 1992
9711. Regkey
9712. Setval
9713.  
9714. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAnt
9715. iSpyware.exe\"debugger" = svchost.exe
9716. 1992
9717. Regkey
9718. Added
9719.  
9720. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9721. ons\SASCore64.exe
9722. 1992
9723. Regkey
9724. Added
9725.  
9726. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore6
9727. 4.exe
9728. 1992
9729. Regkey
9730. Setval
9731.  
9732. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore6
9733. 4.exe\"debugger" = svchost.exe
9734. 1992
9735. Regkey
9736. Added
9737.  
9738. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9739. ons\SSUpdate64.exe
9740. 1992
9741. Regkey
9742. Added
9743.  
9744. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSUpdate
9745. 64.exe
9746. 1992
9747. Regkey
9748. Setval
9749.  
9750. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SSUpdate
9751. 64.exe\"debugger" = svchost.exe
9752. 1992
9753. Regkey
9754. Added
9755.  
9756. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9757. ons\SUPERDelete.exe
9758. 1992
9759. Regkey
9760. Added
9761.  
9762. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERDel
9763. ete.exe
9764. 1992
9765. Regkey
9766. Setval
9767.  
9768. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERDel
9769. ete.exe\"debugger" = svchost.exe
9770. 1992
9771. Regkey
9772. Added
9773.  
9774. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9775. ons\SASTask.exe
9776. 1992
9777. Regkey
9778. Added
9779.  
9780. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.
9781. exe
9782. 1992
9783. Regkey
9784. Setval
9785.  
9786. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.
9787. exe\"debugger" = svchost.exe
9788. 1992
9789. Regkey
9790. Setval
9791.  
9792. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan
9793. .exe\"debugger" = svchost.exe
9794. 1992
9795. Regkey
9796. Setval
9797.  
9798. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc
9799. .exe\"debugger" = svchost.exe
9800. 1992
9801. Regkey
9802. Setval
9803.  
9804. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc
9805. .exe\"debugger" = svchost.exe
9806. 1992
9807. Regkey
9808. Setval
9809.  
9810. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy
9811. .EXE\"debugger" = svchost.exe
9812. 1992
9813. Regkey
9814. Setval
9815.  
9816. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecur
9817. ity.exe\"debugger" = svchost.exe
9818. 1992
9819. Regkey
9820. Setval
9821.  
9822. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7AVScan
9823. .exe\"debugger" = svchost.exe
9824. 1992
9825. Regkey
9826. Setval
9827.  
9828. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc
9829. .exe\"debugger" = svchost.exe
9830. 1992
9831. Regkey
9832. Setval
9833.  
9834. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon
9835. .Exe\"debugger" = svchost.exe
9836. 1992
9837. Regkey
9838. Setval
9839.  
9840. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain
9841. .exe\"debugger" = svchost.exe
9842. 1992
9843. Regkey
9844. Setval
9845.  
9846. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr
9847. .exe\"debugger" = svchost.exe
9848. 1992
9849. Regkey
9850. Added
9851.  
9852. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9853. ons\uiWinMgr.exe
9854. 1992
9855. Regkey
9856. Added
9857.  
9858. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWinMgr
9859. .exe
9860. 1992
9861. Regkey
9862. Setval
9863.  
9864. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWinMgr
9865. .exe\"debugger" = svchost.exe
9866. 1992
9867. Regkey
9868. Added
9869.  
9870. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9871. ons\uiWatchDog.exe
9872. 1992
9873. Regkey
9874. Added
9875.  
9876. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchD
9877. og.exe
9878. 1992
9879. Regkey
9880. Setval
9881.  
9882. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchD
9883. og.exe\"debugger" = svchost.exe
9884. 1992
9885. Regkey
9886. Added
9887.  
9888. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9889. ons\uiSeAgnt.exe
9890. 1992
9891. Regkey
9892. Added
9893.  
9894. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt
9895. .exe
9896. 1992
9897. Regkey
9898. Setval
9899.  
9900. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt
9901. .exe\"debugger" = svchost.exe
9902. 1992
9903. Regkey
9904. Added
9905.  
9906. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9907. ons\PtWatchDog.exe
9908. 1992
9909. Regkey
9910. Added
9911.  
9912. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchD
9913. og.exe
9914. 1992
9915. Regkey
9916. Setval
9917.  
9918. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchD
9919. og.exe\"debugger" = svchost.exe
9920. 1992
9921. Regkey
9922. Added
9923.  
9924. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9925. ons\PtSvcHost.exe
9926. 1992
9927. Regkey
9928. Added
9929.  
9930. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHos
9931. t.exe
9932. 1992
9933. Regkey
9934. Setval
9935.  
9936. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHos
9937. t.exe\"debugger" = svchost.exe
9938. 1992
9939. Regkey
9940. Added
9941.  
9942. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9943. ons\PtSessionAgent.exe
9944. 1992
9945. Regkey
9946. Added
9947.  
9948. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessio
9949. nAgent.exe
9950. 1992
9951. Regkey
9952. Setval
9953.  
9954. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessio
9955. nAgent.exe\"debugger" = svchost.exe
9956. 1992
9957. Regkey
9958. Added
9959.  
9960. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9961. ons\coreFrameworkHost.exe
9962. 1992
9963. Regkey
9964. Added
9965.  
9966. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFram
9967. eworkHost.exe
9968. 1992
9969. Regkey
9970. Setval
9971.  
9972. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFram
9973. eworkHost.exe\"debugger" = svchost.exe
9974. 1992
9975. Regkey
9976. Added
9977.  
9978. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9979. ons\coreServiceShell.exe
9980. 1992
9981. Regkey
9982. Added
9983.  
9984. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServ
9985. iceShell.exe
9986. 1992
9987. Regkey
9988. Setval
9989.  
9990. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServ
9991. iceShell.exe\"debugger" = svchost.exe
9992. 1992
9993. Regkey
9994. Added
9995.  
9996. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
9997. ons\uiUpdateTray.exe
9998. 1992
9999. Regkey
10000. Added
10001.  
10002. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiUpdate
10003. Tray.exe
10004. 1992
10005. Regkey
10006. Setval
10007.  
10008. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiUpdate
10009. Tray.exe\"debugger" = svchost.exe
10010. 1992
10011. Regkey
10012. Added
10013.  
10014. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10015. ons\VIPREUI.exe
10016. 1992
10017. Regkey
10018. Added
10019.  
10020. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIPREUI.
10021. exe
10022. 1992
10023. Regkey
10024. Setval
10025.  
10026. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIPREUI.
10027. exe\"debugger" = svchost.exe
10028. 1992
10029. Regkey
10030. Added
10031.  
10032. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10033. ons\SBAMSvc.exe
10034. 1992
10035. Regkey
10036. Added
10037.  
10038. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.
10039. exe
10040. 1992
10041. Regkey
10042. Setval
10043.  
10044. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.
10045. exe\"debugger" = svchost.exe
10046. 1992
10047. Regkey
10048. Added
10049.  
10050. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10051. ons\SBAMTray.exe
10052. 1992
10053. Regkey
10054. Added
10055.  
10056. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray
10057. .exe
10058. 1992
10059. Regkey
10060. Setval
10061.  
10062. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray
10063. .exe\"debugger" = svchost.exe
10064. 1992
10065. Regkey
10066. Added
10067.  
10068. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10069. ons\SBPIMSvc.exe
10070. 1992
10071. Regkey
10072. Added
10073.  
10074. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBPIMSvc
10075. .exe
10076. 1992
10077. Regkey
10078. Setval
10079.  
10080. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBPIMSvc
10081. .exe\"debugger" = svchost.exe
10082. 1992
10083. Regkey
10084. Added
10085.  
10086. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10087. ons\bavhm.exe
10088. 1992
10089. Regkey
10090. Added
10091.  
10092. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bavhm.ex
10093. e
10094. 1992
10095. Regkey
10096. Setval
10097.  
10098. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bavhm.ex
10099. e\"debugger" = svchost.exe
10100. 1992
10101. Regkey
10102. Added
10103.  
10104. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10105. ons\BavSvc.exe
10106. 1992
10107. Regkey
10108. Added
10109.  
10110. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavSvc.e
10111. xe
10112. 1992
10113. Regkey
10114. Setval
10115.  
10116. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavSvc.e
10117. xe\"debugger" = svchost.exe
10118. 1992
10119. Regkey
10120. Added
10121.  
10122. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10123. ons\BavTray.exe
10124. 1992
10125. Regkey
10126. Added
10127.  
10128. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavTray.
10129. exe
10130. 1992
10131. Regkey
10132. Setval
10133.  
10134. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavTray.
10135. exe\"debugger" = svchost.exe
10136. 1992
10137. Regkey
10138. Added
10139.  
10140. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10141. ons\Bav.exe
10142. 1992
10143. Regkey
10144. Added
10145.  
10146. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Bav.exe
10147. 1992
10148. Regkey
10149. Setval
10150.  
10151. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Bav.exe\
10152. "debugger" = svchost.exe
10153. 1992
10154. Regkey
10155. Added
10156.  
10157. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10158. ons\BavWebClient.exe
10159. 1992
10160. Regkey
10161. Added
10162.  
10163. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavWebCl
10164. ient.exe
10165. 1992
10166. Regkey
10167. Setval
10168.  
10169. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavWebCl
10170. ient.exe\"debugger" = svchost.exe
10171. 1992
10172. Regkey
10173. Added
10174.  
10175. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10176. ons\BavUpdater.exe
10177. 1992
10178. Regkey
10179. Added
10180.  
10181. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavUpdat
10182. er.exe
10183. 1992
10184. Regkey
10185. Setval
10186.  
10187. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavUpdat
10188. er.exe\"debugger" = svchost.exe
10189. 1992
10190. Regkey
10191. Added
10192.  
10193. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10194. ons\MCShieldCCC.exe
10195. 1992
10196. Regkey
10197. Added
10198.  
10199. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10200. CCC.exe
10201. 1992
10202. Regkey
10203. Setval
10204.  
10205. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10206. CCC.exe\"debugger" = svchost.exe
10207. 1992
10208. Regkey
10209. Added
10210.  
10211. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10212. ons\MCShieldRTM.exe
10213. 1992
10214. Regkey
10215. Added
10216.  
10217. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10218. RTM.exe
10219. 1992
10220. Regkey
10221. Setval
10222.  
10223. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10224. RTM.exe\"debugger" = svchost.exe
10225. 1992
10226. Regkey
10227. Added
10228.  
10229. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10230. ons\MCShieldDS.exe
10231. 1992
10232. Regkey
10233. Added
10234.  
10235. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10236. DS.exe
10237. 1992
10238. Regkey
10239. Setval
10240.  
10241. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShield
10242. DS.exe\"debugger" = svchost.exe
10243. 1992
10244. Regkey
10245. Added
10246.  
10247. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10248. ons\MCS-Uninstall.exe
10249. 1992
10250. Regkey
10251. Added
10252.  
10253. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCS-Unin
10254. stall.exe
10255. 1992
10256. Regkey
10257. Setval
10258.  
10259. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCS-Unin
10260. stall.exe\"debugger" = svchost.exe
10261. 1992
10262. Regkey
10263. Added
10264.  
10265. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10266. ons\SDScan.exe
10267. 1992
10268. Regkey
10269. Added
10270.  
10271. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDScan.e
10272. xe
10273. 1992
10274. Regkey
10275. Setval
10276.  
10277. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDScan.e
10278. xe\"debugger" = svchost.exe
10279. 1992
10280. Regkey
10281. Added
10282.  
10283. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10284. ons\SDFSSvc.exe
10285. 1992
10286. Regkey
10287. Added
10288.  
10289. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFSSvc.
10290. exe
10291. 1992
10292. Regkey
10293. Setval
10294.  
10295. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFSSvc.
10296. exe\"debugger" = svchost.exe
10297. 1992
10298. Regkey
10299. Added
10300.  
10301. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10302. ons\SDWelcome.exe
10303. 1992
10304. Regkey
10305. Added
10306.  
10307. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcom
10308. e.exe
10309. 1992
10310. Regkey
10311. Setval
10312.  
10313. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcom
10314. e.exe\"debugger" = svchost.exe
10315. 1992
10316. Regkey
10317. Added
10318.  
10319. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10320. ons\SDTray.exe
10321. 1992
10322. Regkey
10323. Added
10324.  
10325. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.e
10326. xe
10327. 1992
10328. Regkey
10329. Setval
10330.  
10331. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.e
10332. xe\"debugger" = svchost.exe
10333. 1992
10334. Regkey
10335. Added
10336.  
10337. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10338. ons\UnThreat.exe
10339. 1992
10340. Regkey
10341. Added
10342.  
10343. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UnThreat
10344. .exe
10345. 1992
10346. Regkey
10347. Setval
10348.  
10349. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UnThreat
10350. .exe\"debugger" = svchost.exe
10351. 1992
10352. Regkey
10353. Added
10354.  
10355. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10356. ons\utsvc.exe
10357. 1992
10358. Regkey
10359. Added
10360.  
10361. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utsvc.ex
10362. e
10363. 1992
10364. Regkey
10365. Setval
10366.  
10367. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utsvc.ex
10368. e\"debugger" = svchost.exe
10369. 1992
10370. Regkey
10371. Added
10372.  
10373. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10374. ons\FortiClient.exe
10375. 1992
10376. Regkey
10377. Added
10378.  
10379. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiCli
10380. ent.exe
10381. 1992
10382. Regkey
10383. Setval
10384.  
10385. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiCli
10386. ent.exe\"debugger" = svchost.exe
10387. 1992
10388. Regkey
10389. Added
10390.  
10391. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10392. ons\fcappdb.exe
10393. 1992
10394. Regkey
10395. Added
10396.  
10397. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fcappdb.
10398. exe
10399. 1992
10400. Regkey
10401. Setval
10402.  
10403. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fcappdb.
10404. exe\"debugger" = svchost.exe
10405. 1992
10406. Regkey
10407. Added
10408.  
10409. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10410. ons\FCDBlog.exe
10411. 1992
10412. Regkey
10413. Added
10414.  
10415. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCDBlog.
10416. exe
10417. 1992
10418. Regkey
10419. Setval
10420.  
10421. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCDBlog.
10422. exe\"debugger" = svchost.exe
10423. 1992
10424. Regkey
10425. Added
10426.  
10427. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10428. ons\FCHelper64.exe
10429. 1992
10430. Regkey
10431. Added
10432.  
10433. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCHelper
10434. 64.exe
10435. 1992
10436. Regkey
10437. Setval
10438.  
10439. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCHelper
10440. 64.exe\"debugger" = svchost.exe
10441. 1992
10442. Regkey
10443. Added
10444.  
10445. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10446. ons\fmon.exe
10447. 1992
10448. Regkey
10449. Added
10450.  
10451. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe
10452. 1992
10453. Regkey
10454. Setval
10455.  
10456. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe
10457. \"debugger" = svchost.exe
10458. 1992
10459. Regkey
10460. Added
10461.  
10462. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10463. ons\FortiESNAC.exe
10464. 1992
10465. Regkey
10466. Added
10467.  
10468. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESN
10469. AC.exe
10470. 1992
10471. Regkey
10472. Setval
10473.  
10474. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESN
10475. AC.exe\"debugger" = svchost.exe
10476. 1992
10477. Regkey
10478. Added
10479.  
10480. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10481. ons\FortiProxy.exe
10482. 1992
10483. Regkey
10484. Added
10485.  
10486. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiPro
10487. xy.exe
10488. 1992
10489. Regkey
10490. Setval
10491.  
10492. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiPro
10493. xy.exe\"debugger" = svchost.exe
10494. 1992
10495. Regkey
10496. Added
10497.  
10498. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10499. ons\FortiSSLVPNdaemon.exe
10500. 1992
10501. Regkey
10502. Added
10503.  
10504. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiSSL
10505. VPNdaemon.exe
10506. 1992
10507. Regkey
10508. Setval
10509.  
10510. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiSSL
10511. VPNdaemon.exe\"debugger" = svchost.exe
10512. 1992
10513. Regkey
10514. Added
10515.  
10516. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10517. ons\FortiTray.exe
10518. 1992
10519. Regkey
10520. Added
10521.  
10522. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiTra
10523. y.exe
10524. 1992
10525. Regkey
10526. Setval
10527.  
10528. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiTra
10529. y.exe\"debugger" = svchost.exe
10530. 1992
10531. Regkey
10532. Added
10533.  
10534. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10535. ons\FortiFW.exe
10536. 1992
10537. Regkey
10538. Added
10539.  
10540. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiFW.
10541. exe
10542. 1992
10543. Regkey
10544. Setval
10545.  
10546. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiFW.
10547. exe\"debugger" = svchost.exe
10548. 1992
10549. Regkey
10550. Added
10551.  
10552. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10553. ons\FortiClient_Diagnostic_Tool.exe
10554. 1992
10555. Regkey
10556. Added
10557.  
10558. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiCli
10559. ent_Diagnostic_Tool.exe
10560. 1992
10561. Regkey
10562. Setval
10563.  
10564. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiCli
10565. ent_Diagnostic_Tool.exe\"debugger" = svchost.exe
10566. 1992
10567. Regkey
10568. Added
10569.  
10570. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10571. ons\av_task.exe
10572. 1992
10573. Regkey
10574. Added
10575.  
10576. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av_task.
10577. exe
10578. 1992
10579. Regkey
10580. Setval
10581.  
10582. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av_task.
10583. exe\"debugger" = svchost.exe
10584. 1992
10585. Regkey
10586. Added
10587.  
10588. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10589. ons\CertReg.exe
10590. 1992
10591. Regkey
10592. Added
10593.  
10594. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CertReg.
10595. exe
10596. 1992
10597. Regkey
10598. Setval
10599.  
10600. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CertReg.
10601. exe\"debugger" = svchost.exe
10602. 1992
10603. Regkey
10604. Added
10605.  
10606. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10607. ons\FilMsg.exe
10608. 1992
10609. Regkey
10610. Added
10611.  
10612. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.e
10613. xe
10614. 1992
10615. Regkey
10616. Setval
10617.  
10618. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.e
10619. xe\"debugger" = svchost.exe
10620. 1992
10621. Regkey
10622. Added
10623.  
10624. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10625. ons\FilUp.exe
10626. 1992
10627. Regkey
10628. Added
10629.  
10630. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.ex
10631. e
10632. 1992
10633. Javacall
10634.  
10635. Method: exec
10636. Params: [ 'taskkill' '/IM' 'ProcessHacker.exe' '/T' '/F']
10637. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
10638. 1376
10639. Regkey
10640. Setval
10641.  
10642. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.ex
10643. e\"debugger" = svchost.exe
10644. 1992
10645. Regkey
10646. Added
10647.  
10648. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10649. ons\filwscc.exe
10650. 1992
10651. Regkey
10652. Added
10653.  
10654. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filwscc.
10655. exe
10656. 1992
10657. Javacall
10658.  
10659. Method: exec
10660. Params: [ 'taskkill' '/IM' 'ProcessHacker.exe' '/T' '/F', null, null]
10661. Imagepath: C:\Progra~2\Java\jre1.8.0_0\bin\javaw.exe
10662. 1376
10663. Regkey
10664. Setval
10665.  
10666. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filwscc.
10667. exe\"debugger" = svchost.exe
10668. 1992
10669. Regkey
10670. Added
10671.  
10672. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10673. ons\psview.exe
10674. 1992
10675. Regkey
10676. Added
10677.  
10678. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.e
10679. xe
10680. 1992
10681. Regkey
10682. Setval
10683.  
10684. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.e
10685. xe\"debugger" = svchost.exe
10686. 1992
10687. Regkey
10688. Added
10689.  
10690. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10691. ons\quamgr.exe
10692. 1992
10693. Regkey
10694. Added
10695.  
10696. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quamgr.e
10697. xe
10698. 1992
10699. Regkey
10700. Setval
10701.  
10702. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quamgr.e
10703. xe\"debugger" = svchost.exe
10704. 1992
10705. Regkey
10706. Added
10707.  
10708. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Opti
10709. ons\schmgr.exe
10710. 1992
10711. Regkey
10712. Added
10713.  
10714. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schmgr.e
10715. xe
10716. 1992
10717. 48 Repeated items skipped
10718. Mutex
10719.  
10720. \Sessions\1\BaseNamedObjects\DBWinMutex
10721. 1224
10722. Regkey
10723. Queryvalue
10724.  
10725. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
10726. 1224
10727. DLL Loaded
10728.  
10729. Imagepath: C:\Users\Administrator\AppData\Roaming\Oracle\bin\javaw.exe
10730. DLL Path: C:\Users\Administrator\AppData\Roaming\Oracle\bin\msvcr100.dll
10731. MD5: bf38660a9125935658cfa3e53fdc7d65
10732. SHA1: 0b51fb415ec89848f339f8989d323bea722bfd70
10733. 1224
10734. Malicious Alert
10735. Generic Dll Load Activity
10736.  
10737. Message: DLL loaded
10738.  
10739. 3972 Repeated items skipped
10740. Mutex
10741.  
10742. \Sessions\1\BaseNamedObjects\DBWinMutex
10743. 3328
10744. Regkey
10745. Queryvalue
10746.  
10747. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
10748. 3328
10749.  
10750. ###################
10751. http://pedump.me/688a691d688d832a5bf42548ad4491b3/#7zip