bbb.the88888.com

By Pig, August 10, 2010

DNS Lookup
Host Name IP Address
0 127.0.0.1
bbb.the88888.com
tj19.x9wdns.com
tj19.x9wdns.com 121.14.156.129
bbb.the88888.com 222.186.38.175
xxx.free88888.com
xxx.free88888.com 60.190.90.107
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1118
Send Datagram: 100 packet(s) of size 1
Recv Datagram: 100 packet(s) of size 1
Download URLs
http://121.14.156.129/bang1/tj.asp?mac=00c0f185907a&ver=10728&os=&dtime=2010-7-2 (tj19.x9wdns.com)
http://222.186.38.175/c/host.txt (bbb.the88888.com)
http://222.186.38.175/c/ff.txt (bbb.the88888.com)
http://60.190.90.107/C01.exe (xxx.free88888.com)
http://60.190.90.107/C10.exe (xxx.free88888.com)
http://60.190.90.107/C/C02.exe (xxx.free88888.com)
http://60.190.90.107/C/C03.exe (xxx.free88888.com)
http://60.190.90.107/C/C04.exe (xxx.free88888.com)
http://60.190.90.107/C/C05.exe (xxx.free88888.com)
http://60.190.90.107/C/C06.exe (xxx.free88888.com)
http://60.190.90.107/C/C07.exe (xxx.free88888.com)
http://60.190.90.107/C/C08.exe (xxx.free88888.com)
http://60.190.90.107/C09.exe (xxx.free88888.com)
http://60.190.90.107/C10.exe (xxx.free88888.com)

Outgoing connection to remote server: tj19.x9wdns.com TCP port 2787
Outgoing connection to remote server: bbb.the88888.com TCP port 18185
Outgoing connection to remote server: bbb.the88888.com TCP port 18185
Outgoing connection to remote server: xxx.free88888.com TCP port 26677
Outgoing connection to remote server: xxx.free88888.com TCP port 26677
Outgoing connection to remote server: xxx.free88888.com TCP port 26677

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfEscapement” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfOrientation” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfWeight” = [REG_DWORD, value: 00000190]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfItalic” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfUnderline” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfStrikeOut” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfCharSet” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfOutPrecision” = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfClipPrecision” = [REG_DWORD, value: 00000002]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfQuality” = [REG_DWORD, value: 00000002]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfPitchAndFamily” = [REG_DWORD, value: 00000031]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iPointSize” = [REG_DWORD, value: 00000064]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fWrap” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “StatusBar” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fSaveWindowPositions” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfFaceName” = Lucida Console
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “szHeader” = &n
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “szTrailer” = Seite &s
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginTop” = [REG_DWORD, value: 000009C4]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginBottom” = [REG_DWORD, value: 000009C4]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginLeft” = [REG_DWORD, value: 000007D0]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginRight” = [REG_DWORD, value: 000007D0]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fMLE_is_broken” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosX” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosY” = [REG_DWORD, value: 0000006C]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosDX” = [REG_DWORD, value: 0000050C]
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosDY” = [REG_DWORD, value: 00000356]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsavp.exe “avp.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionssafeboxTray.exe “safeboxTray.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360Safebox.exe “360Safebox.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360tray.exe “360tray.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsantiarp.exe “antiarp.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsekrn.exe “ekrn.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsAgent.exe “RsAgent.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmfeann.exe “mfeann.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsegui.exe “egui.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMon.exe “RavMon.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavMonD.exe “RavMonD.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavTask.exe “RavTask.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsCCenter.exe “CCenter.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRavStub.exe “RavStub.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRsTray.exe “RsTray.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsScanFrm.exe “ScanFrm.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRav.exe “Rav.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsAgentSvr.exe “AgentSvr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQDoctor.exe “QQDoctor.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMcProxy.exe “McProxy.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcshield.exe “mcshield.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrsnetsvr.exe “rsnetsvr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsnaPrdMgr.exe “naPrdMgr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMpfSrv.exe “MpfSrv.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC.exe “MPSVC.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC1.exe “MPSVC1.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKISSvc.exe “KISSvc.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPfwSvc.exe “KPfwSvc.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionskmailmon.exe “kmailmon.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKavStart.exe “KavStart.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsengineserver.exe “engineserver.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKPFW32.exe “KPFW32.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKVSrvXP.exe “KVSrvXP.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSetMgr.exe “ccSetMgr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccEvtMgr.exe “ccEvtMgr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsdefwatch.exe “defwatch.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrtvscan.exe “rtvscan.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsccapp.exe “ccapp.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvptray.exe “vptray.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcupdmgr.exe “mcupdmgr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmfevtps.exe “mfevtps.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcsysmon.exe “mcsysmon.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcmscsvc.exe “mcmscsvc.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcnasvc.exe “mcnasvc.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcagent.exe “mcagent.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvstskmgr.exe “vstskmgr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsFrameworkService.exe “FrameworkService.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcshell.exe “mcshell.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmcinsupd.exe “mcinsupd.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsbdagent.exe “bdagent.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionslivesrv.exe “livesrv.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsvsserv.exe “vsserv.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsxcommsvr.exe “xcommsvr.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsccSvcHst.exe “ccSvcHst.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSHSTAT.exe “SHSTAT.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMcTray.exe “McTray.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsudaterui.exe “udaterui.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKavStart.exe “KAVStart.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsUplive.exe “Uplive.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKWatch.exe “KWatch.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsQQDoctorRtp.exe “QQDoctorRtp.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsDrUpdate.exe “DrUpdate.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrfwsrv.exe “rfwsrv.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsRegGuide.exe “RegGuide.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPSVC2.exe “MPSVC2.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsMPMon.exe “MPMon.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsLiveUpdate360.exe “LiveUpdate360.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsrssafety.exe “rssafety.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsKSWebShield.exe “KSWebShield.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options360delays.exe “360delays.exe” = svchost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “RsTray” = C:WINDOWSsystem32scvhost.exe
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfEscapement”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfOrientation”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfWeight”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfItalic”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfUnderline”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfStrikeOut”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfCharSet”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfOutPrecision”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfClipPrecision”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfQuality”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfPitchAndFamily”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “lfFaceName”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iPointSize”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fWrap”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “StatusBar”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fSaveWindowPositions”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “szHeader”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “szTrailer”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginTop”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginBottom”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginLeft”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iMarginRight”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosY”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosX”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosDX”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “iWindowPosDY”
HKEY_CURRENT_USERSoftwareMicrosoftNotepad “fMLE_is_broken”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Sink Transmit Buffer Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “DefaultRpcStackSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “ThreadingModel”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “Synchronization”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “AppId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOMSecuredHostProviders “ROOTCIMV2:__Win32Provider.Name=”CIMWin32″”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_CURRENT_USERSoftwareTencentQQSGSYS “path”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
Enums HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache
HKEY_CURRENT_USERSoftwareMicrosoftWindowsShellNoRoamMUICache

File Changes by all processes
New Files C:WINDOWSee1591546t.dll
C:recycle.{645FF040-5081-101B-9F08-00AA002F954E}kav32.exe
C:WINDOWSextext1602625t.exe
C:WINDOWSsystem32driverspcidump.sys
C:WINDOWSsystem32scvhost.exe
_temp.bat
C:WINDOWSsystem32driversAsyncMac.sys
DeviceTcp
DeviceIp
DeviceIp
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
DeviceRasAcd
C:WINDOWSsystem32drivers12youxllsdfierjiernmnsdf.txt
C:WINDOWSsystem32driversC02.hm
C:WINDOWSsystem32driversC03.hm
C:WINDOWSsystem32driversC04.hm
C:WINDOWSsystem32driversC05.hm
C:WINDOWSsystem32driversC06.hm
C:WINDOWSsystem32driversC07.hm
C:WINDOWSsystem32driversC08.hm
C:WINDOWSsystem32driversC09.hm
321.aqq
C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll
C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll
C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll
Opened Files C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWS
.pcidump
c:
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
.pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSREPAIRSETUP.LOG
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
.PIPESfcApi
.KILLPS_Drv
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
.Ip
c:autoexec.bat
.PIPEROUTER
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926ff[1].txt
C:WINDOWSsystem32driversC01.hm
C:WINDOWSsystem32driversC02.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADM
C:WINDOWSsystem32driversC03.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8
C:WINDOWSsystem32driversC04.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1
C:WINDOWSsystem32driversC05.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926
C:WINDOWSsystem32driversC06.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
C:WINDOWSsystem32driversC07.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
C:WINDOWSsystem32driversC08.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
C:WINDOWSsystem32driversC09.hm
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe
C:WINDOWSsystem32driversC10.hm
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
c:_temp.bat
321.aqq
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe
Deleted Files C:WINDOWSee1591546t.dll
C:AUTORUN.INF
C:WINDOWSsystem32driverspcidump.sys
C:WINDOWSsystem32driversAsyncMac.sys
C:WINDOWSsystem32drivers12youxllsdfierjiernmnsdf.txt
c:321.aqq
c:kav.exe
c:_temp.bat
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll
C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe
Chronological Order Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32notepad.exe
Find File: C:WINDOWSsystem32cmd.exe
Create File: C:WINDOWSee1591546t.dll
Find File: C:WINDOWSsystem32rundll32.exe
Delete File: C:WINDOWSee1591546t.dll
Get File Attributes: C:AUTORUN.INF Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:AUTORUN.INF Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:AUTORUN.INF
Set File Attributes: C:AUTORUN.INF Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Copy File: c:kav.exe to C:recycle.{645FF040-5081-101B-9F08-00AA002F954E}kav32.exe
Set File Attributes: C:recycle.{645FF040-5081-101B-9F08-00AA002F954E} Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: C:WINDOWSextext1602625t.exe
Open File: C:WINDOWS ()
Find File: C:WINDOWSextext1602625t.exe
Create File: C:WINDOWSsystem32driverspcidump.sys
Open File: .pcidump (OPEN_EXISTING)
Delete File: C:WINDOWSsystem32driverspcidump.sys
Copy File: c:kav.exe to C:WINDOWSsystem32scvhost.exe
Create File: _temp.bat
Open File: c: ()
Find File: C:_temp.bat
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:sc.*
Find File: c:sc
Find File: C:WINDOWSsystem32sc.*
Find File: C:WINDOWSsystem32sc.COM
Find File: C:WINDOWSsystem32sc.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32sc.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: taskkill.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:taskkill.exe
Find File: c:taskkill.exe.*
Find File: C:WINDOWSsystem32taskkill.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSREPAIRSETUP.LOG ()
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: taskkill.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:taskkill.exe
Find File: c:taskkill.exe.*
Find File: C:WINDOWSsystem32taskkill.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSee1591546t.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSee1591546t.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPESfcApi (OPEN_EXISTING)
Delete File: C:WINDOWSsystem32driversAsyncMac.sys
Create File: C:WINDOWSsystem32driversAsyncMac.sys
Get File Attributes: C:WINDOWSsystem32driversAsyncMac.sys Flags: (SECURITY_ANONYMOUS)
Open File: .KILLPS_Drv (OPEN_EXISTING)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:net.*
Find File: c:net
Find File: C:WINDOWSsystem32net.*
Find File: C:WINDOWSsystem32net.COM
Find File: C:WINDOWSsystem32net.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32net.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32net1.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:net.*
Find File: c:net
Find File: C:WINDOWSsystem32net.*
Find File: C:WINDOWSsystem32net.COM
Find File: C:WINDOWSsystem32net.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32net.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:sc.*
Find File: c:sc
Find File: C:WINDOWSsystem32sc.*
Find File: C:WINDOWSsystem32sc.COM
Find File: C:WINDOWSsystem32sc.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32sc.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32net1.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPEROUTER (OPEN_EXISTING)
Set File Attributes: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1host[1].txt Flags: (FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926ff[1].txt (OPEN_EXISTING)
Create File: C:WINDOWSsystem32drivers12youxllsdfierjiernmnsdf.txt
Delete File: C:WINDOWSsystem32drivers12youxllsdfierjiernmnsdf.txt
Open File: C:WINDOWSsystem32driversC01.hm (OPEN_EXISTING)
Open File: C:WINDOWSsystem32driversC02.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC02.hm
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADM ()
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
Open File: C:WINDOWSsystem32driversC03.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC03.hm
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8 ()
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
Open File: C:WINDOWSsystem32driversC04.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC04.hm
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1 ()
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
Open File: C:WINDOWSsystem32driversC05.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC05.hm
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926 ()
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
Open File: C:WINDOWSsystem32driversC06.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC06.hm
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
Open File: C:WINDOWSsystem32driversC07.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC07.hm
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
Open File: C:WINDOWSsystem32driversC08.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC08.hm
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
Open File: C:WINDOWSsystem32driversC09.hm (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversC09.hm
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe
Open File: C:WINDOWSsystem32driversC10.hm (OPEN_EXISTING)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:cacls.*
Find File: c:cacls
Find File: C:WINDOWSsystem32cacls.*
Find File: C:WINDOWSsystem32cacls.COM
Find File: C:WINDOWSsystem32cacls.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cacls.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:cacls.*
Find File: c:cacls
Find File: C:WINDOWSsystem32cacls.*
Find File: C:WINDOWSsystem32cacls.COM
Find File: C:WINDOWSsystem32cacls.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cacls.exe
Open File: .PIPElsarpc (OPEN_EXISTING)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp” e p everyone:f
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Get File Attributes: _temp.bat Flags: (SECURITY_ANONYMOUS)
Find File: c:_temp.bat
Open File: c:_temp.bat (OPEN_EXISTING)
Open File: 321.aqq (OPEN_EXISTING)
Create/Open File: 321.aqq (OPEN_ALWAYS)
Get File Attributes: 321.aqq Flags: (SECURITY_ANONYMOUS)
Find File: c:321.aqq
Delete File: c:321.aqq
Get File Attributes: c:kav.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:kav.exe
Delete File: c:kav.exe
Delete File: c:_temp.bat
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp18d462t23.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1631656m13.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempt23t.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC02[1].exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1635859w25.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm13m.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C03[1].exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll Flags: (SECURITY_ANONYMOUS)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1640781m16t.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll Flags: (SECURITY_ANONYMOUS)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempw25w.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C04[1].exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll Flags: (SECURITY_ANONYMOUS)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1643484d03.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll Flags: (SECURITY_ANONYMOUS)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempm16t2.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C05[1].exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1651000z28.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempd03d.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5UJ8NADMC06[1].exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempz28z.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5HLENIMB8C07[1].exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1664125g07.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1669046Q20.dll (OPEN_EXISTING)
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempg07g.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1C08[1].exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: C:WINDOWSsystem32rundll32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempQ20q.dll.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe (OPEN_EXISTING)
Delete File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5GGLLB926C09[1].exe

Categories: Uncategorized