General Info

URL

https://q.rmine.co/p/?p=4qrq3v1k

Full analysis
https://app.any.run/tasks/5d416a47-e3ee-4c07-a882-5332b3fec814
Verdict
Malicious activity
Analysis date
12/6/2018, 10:30:33
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • UsageMonitor.UI.App.exe (PID: 1888)
  • UsageMonitor.WindowsService.exe (PID: 4076)
  • UsageMonitor.HealthCheck.exe (PID: 3096)
  • Setup.exe (PID: 2892)
  • serveFile[1].exe (PID: 3044)
Loads dropped or rewritten executable
  • UsageMonitor.UI.App.exe (PID: 1888)
  • UsageMonitor.HealthCheck.exe (PID: 3096)
  • UsageMonitor.WindowsService.exe (PID: 4076)
  • serveFile[1].exe (PID: 3044)
Changes the autorun value in the registry
  • Setup.exe (PID: 2892)
Uses RUNDLL32.EXE to load library
  • UsageMonitor.UI.App.exe (PID: 1888)
Creates files in the user directory
  • serveFile[1].exe (PID: 3044)
Reads Environment values
  • UsageMonitor.UI.App.exe (PID: 1888)
Reads Internet Cache Settings
  • rundll32.exe (PID: 2804)
  • UsageMonitor.UI.App.exe (PID: 1888)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2764)
  • Setup.exe (PID: 2892)
  • iexplore.exe (PID: 2952)
  • serveFile[1].exe (PID: 3044)
  • iexplore.exe (PID: 3232)
Changes the autorun value in the registry
  • msiexec.exe (PID: 2764)
Creates a software uninstall entry
  • Setup.exe (PID: 2892)
Creates files in the program directory
  • Setup.exe (PID: 2892)
Searches for installed software
  • Setup.exe (PID: 2892)
Application launched itself
  • msiexec.exe (PID: 2764)
  • iexplore.exe (PID: 2952)
Creates files in the program directory
  • msiexec.exe (PID: 2764)
Creates a software uninstall entry
  • msiexec.exe (PID: 2764)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3424)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2952)
  • iexplore.exe (PID: 3232)
Creates files in the user directory
  • iexplore.exe (PID: 2952)
  • iexplore.exe (PID: 3232)
Changes internet zones settings
  • iexplore.exe (PID: 2952)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
50
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

+
drop and start start drop and start iexplore.exe iexplore.exe servefile[1].exe setup.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs usagemonitor.windowsservice.exe no specs usagemonitor.ui.app.exe usagemonitor.healthcheck.exe no specs rundll32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2952
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\servefile[1].exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
3232
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll

PID
3044
CMD
"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\serveFile[1].exe"
Path
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\serveFile[1].exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
RealityMine Ltd
Description
AnalyzeMe
Version
2.0.3.0
Modules
Image
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\r9zewh8d\servefile[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\feclient.dll
c:\users\admin\appdata\local\temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbahost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\users\admin\appdata\local\temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\bootstrappercore.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\users\admin\appdata\local\temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\installer.bootstrapperapplication.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\32512bd09e2231f6eebb15fc17e3ad79\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\416ba33cb980d07643e82c4c45bd5786\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\da36abbea6ef456f432434d4d8d835c1\presentationframework.ni.dll
c:\users\admin\appdata\local\temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\usagemonitor.utilities.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\6d09f865a22e2f903b74476769e1b76a\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\01bed42723486eb478a5b3e2557173db\presentationframework.classic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio49d6fefe#\33d15f16d20849f7c46d19b7bc7f4273\presentationframework-systemxml.ni.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\7e77d1835b49fa80598b5c47eaedccfc\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\sspicli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\mpr.dll
c:\program files\analyzeme\usagemonitor.ui.app.exe
c:\program files\analyzeme\usagemonitor.healthcheck.exe

PID
2892
CMD
"C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.be\Setup.exe" -q -burn.elevated BurnPipe.{61719E4B-CB17-4E5F-808C-5BA891C0A270} {5249558B-3BBB-4014-85AB-36F2B58643D0} 3044
Path
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.be\Setup.exe
Indicators
Parent process
serveFile[1].exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
RealityMine Ltd
Description
AnalyzeMe
Version
2.0.3.0
Modules
Image
c:\users\admin\appdata\local\temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.be\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll

PID
3424
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2740
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000574" "000002D0"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
2764
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\propsys.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\analyzeme\usagemonitor.ui.app.exe

PID
3652
CMD
C:\Windows\system32\MsiExec.exe -Embedding 815EA554DCC7DB429186D4D98917F47D
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msiba8e.tmp

PID
2072
CMD
C:\Windows\system32\MsiExec.exe -Embedding AA816EE30ED9F1FCC222C0563457B1D0 M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msic02e.tmp

PID
4076
CMD
"C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe" -start
Path
C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
RealityMine Ltd
Description
UsageMonitor.WindowsService
Version
2.0.3.0
Modules
Image
c:\program files\analyzeme\usagemonitor.windowsservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\program files\analyzeme\usagemonitor.utilities.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\program files\analyzeme\usagemonitor.cpuid.sdk.dll
c:\program files\analyzeme\nancy.hosting.self.dll
c:\program files\analyzeme\nancy.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\program files\analyzeme\bouncycastle.crypto.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\analyzeme\cpuidsdk.dll
c:\program files\analyzeme\elysium.dll
c:\program files\analyzeme\fiddlercore.dll
c:\program files\analyzeme\hardcodet.wpf.taskbarnotification.dll
c:\program files\analyzeme\htmlagilitypack.dll
c:\program files\analyzeme\icsharpcode.sharpziplib.dll
c:\program files\analyzeme\managedwifi.dll
c:\program files\analyzeme\microsoft.expression.drawing.dll
c:\program files\analyzeme\microsoft.windows.shell.dll
c:\program files\analyzeme\newtonsoft.json.dll
c:\program files\analyzeme\usagemonitor.library.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\dd1e55e4b87101888a94f28ce396f2ea\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\788fba784cfc29d8c324d66f6ee4c427\system.dynamic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\microsoft.net\framework\v4.0.30319\diasymreader.dll

PID
1888
CMD
"C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe" /FirstTime
Path
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
Indicators
Parent process
serveFile[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
RealityMine Ltd
Description
UsageMonitor.UI.App
Version
2.0.3.0
Modules
Image
c:\program files\analyzeme\usagemonitor.ui.app.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\32512bd09e2231f6eebb15fc17e3ad79\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\416ba33cb980d07643e82c4c45bd5786\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\da36abbea6ef456f432434d4d8d835c1\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\6d09f865a22e2f903b74476769e1b76a\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\program files\analyzeme\usagemonitor.utilities.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\analyzeme\usagemonitor.library.dll
c:\program files\analyzeme\elysium.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorsecimpl.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\program files\analyzeme\hardcodet.wpf.taskbarnotification.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\01bed42723486eb478a5b3e2557173db\presentationframework.classic.ni.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\program files\analyzeme\newtonsoft.json.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\cd7ca8846a122a7e690e11c4611bc902\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.comp46f2b404#\dccda7bb827d5eab8e31175f8fe70aef\system.componentmodel.dataannotations.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\0261f24b2fd53085823ea90b359d71ee\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\032f5fa875be86b577722ddeeee2e51c\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio49d6fefe#\33d15f16d20849f7c46d19b7bc7f4273\presentationframework-systemxml.ni.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\7e77d1835b49fa80598b5c47eaedccfc\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio4b37ff64#\ec80a2cdcf0a749cf0fbcad633b29253\presentationframework-systemxmllinq.ni.dll
c:\windows\system32\winmm.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio84a7b877#\e56357d7d3d0eeefff9b4bd199154203\presentationframework-systemdata.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.net.http\a625f78e6ba48a38f05c102a5fb9c103\system.net.http.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\program files\analyzeme\fiddlercore.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\nlaapi.dll

PID
3096
CMD
"C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe"
Path
C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
Indicators
No indicators
Parent process
serveFile[1].exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
RealityMine Ltd
Description
UsageMonitor.HealthCheck
Version
2.0.3.0
Modules
Image
c:\program files\analyzeme\usagemonitor.healthcheck.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\program files\analyzeme\usagemonitor.utilities.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll

PID
2804
CMD
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
UsageMonitor.UI.App.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
1853
Read events
1463
Write events
381
Delete events
9

Modification events

PID
Process
Operation
Key
Name
Value
2952
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018082720180903
2952
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018090920180910
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{A414E9ED-F939-11E8-BAD8-5254004A04AF}
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E2070C000400060009001F000100DA00
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E2070C000400060009001F000100DA00
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E2070C000400060009001F000100F301
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
18
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E2070C000400060009001F0001003102
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
43
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E2070C000400060009001F0001009F02
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
34
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E2070C0004000600090021003800280100000000
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CachePrefix
:2018120620181207:
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheLimit
8192
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheOptions
11
2952
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018120620181207
CacheRepair
0
3232
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3232
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207
3232
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CachePrefix
:2018120620181207:
3232
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheLimit
8192
3232
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheOptions
11
3232
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018120620181207
CacheRepair
0
3044
serveFile[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
serveFile[1].exe
3044
serveFile[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3044
serveFile[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3044
serveFile[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Left
0
3044
serveFile[1].exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Top
0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
40000000000000000A6C9FD6468DD4014C0B0000480B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
40000000000000000A6C9FD6468DD4014C0B0000480B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
400000000000000028F105D7468DD4014C0B0000480B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000825308D7468DD4014C0B0000980A0000E803000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000000421F9D7468DD4014C0B0000980A0000E803000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
40000000000000002C6DDDDE468DD4014C0B0000480B0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
40000000000000002C6DDDDE468DD4014C0B0000480B0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000006409FADE468DD4014C0B0000480B0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000042F20DF468DD4014C0B0000240A0000E903000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
40000000000000000CDE4FDF468DD4014C0B0000240A0000E903000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
40000000000000000CDE4FDF468DD4014C0B00008C070000F903000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
40000000000000001A0557DF468DD4014C0B00008C070000F903000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000282C5EDF468DD4014C0B0000480B00000A04000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
400000000000000052CEA4E0468DD4014C0B0000800A00000A04000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
4000000000000000AC30A7E0468DD4014C0B0000480B0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000AC30A7E0468DD4014C0B0000480B0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0000000000000000
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleCachePath
C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleUpgradeCode
{98A9C81A-49FB-468C-82F6-B528AAA595AE}
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleAddonCode
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleDetectCode
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundlePatchCode
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleVersion
2.0.3.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleProviderKey
{c246614a-ee40-4deb-a5bc-b0878350f06f}
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
BundleTag
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
EngineVersion
3.8.1128.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
DisplayIcon
C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe,0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
DisplayName
AnalyzeMe
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
DisplayVersion
2.0.3.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
Publisher
RealityMine Ltd
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
ModifyPath
"C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe" /modify
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
NoElevateOnModify
1
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
QuietUninstallString
"C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe" /uninstall /quiet
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
UninstallString
"C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe" /uninstall
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
EstimatedSize
9847
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c246614a-ee40-4deb-a5bc-b0878350f06f}
{c246614a-ee40-4deb-a5bc-b0878350f06f}
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c246614a-ee40-4deb-a5bc-b0878350f06f}
Version
2.0.3.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{c246614a-ee40-4deb-a5bc-b0878350f06f}
DisplayName
AnalyzeMe
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
Resume
1
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{c246614a-ee40-4deb-a5bc-b0878350f06f}
"C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe" /burn.log.append "C:\Users\admin\AppData\Local\Temp\AnalyzeMe_20181206093356.log" /burn.runonce
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Version
2.0.3.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{F07BB8AF-E324-4701-A507-931AD97BBD41}
DisplayName
AnalyzeMe x86 2.0.3.0
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
52
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
Resume
3
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{c246614a-ee40-4deb-a5bc-b0878350f06f}
Installed
1
2892
Setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Users\admin\AppData\Local\Temp\DELF072.tmp
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000443F14D7468DD401600D0000500F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000443F14D7468DD401600D0000080B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000443F14D7468DD401600D00001C0B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000443F14D7468DD401600D0000800F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000052661BD7468DD401600D0000800F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
400000000000000052661BD7468DD401600D0000500F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000062B20D7468DD401600D00001C0B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000608D22D7468DD401600D0000080B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000AACC1DDF468DD401600D0000080B00000104000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000AACC1DDF468DD401600D0000080B00000104000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000B8F324DF468DD401600D0000500F0000E903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000B8F324DF468DD401600D0000080B0000E903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000B8F324DF468DD401600D00001C0B0000E903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000C61A2CDF468DD401600D0000500F0000E903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000C61A2CDF468DD401600D0000500F00000100000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000C61A2CDF468DD401600D0000080B0000E903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000C61A2CDF468DD401600D0000080B00000100000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000C61A2CDF468DD401600D00001C0B0000E903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000C61A2CDF468DD401600D00001C0B00000100000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000C0A254DF468DD401600D00001C0B0000F903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000C0A254DF468DD401600D0000080B0000F903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000C0A254DF468DD401600D0000500F0000F903000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000001A0557DF468DD401600D00001C0B0000F903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
40000000000000001A0557DF468DD401600D0000080B0000F903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
40000000000000001A0557DF468DD401600D0000500F0000F903000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000282C5EDF468DD401600D00008C0A00000204000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
40000000000000009A9BEFDF468DD401600D00008C0A00000204000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
40000000000000009A9BEFDF468DD401600D00008C0A0000EA03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000104C00E0468DD401600D000028090000EA03000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000104C00E0468DD401600D000024090000EA03000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000104C00E0468DD401600D000030090000EA03000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000BE982DE0468DD401600D000028090000EA03000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000BE982DE0468DD401600D0000280900000200000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
400000000000000018FB2FE0468DD401600D000024090000EA03000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000018FB2FE0468DD401600D0000240900000200000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
400000000000000018FB2FE0468DD401600D000030090000EA03000000000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000018FB2FE0468DD401600D0000300900000200000001000000010000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
40000000000000003CF86DE0468DD401600D00008C0A0000EA03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
40000000000000003CF86DE0468DD401600D00008C0A0000EB03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
40000000000000003CF86DE0468DD401600D00008C0A0000EC03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000F0BC72E0468DD401600D000038090000EB03000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000F0BC72E0468DD401600D000038090000EB03000000000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000F0BC72E0468DD401600D0000380900000300000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000F0BC72E0468DD401600D0000AC030000FC03000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000F0BC72E0468DD401600D00008C0A0000EC03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000F0BC72E0468DD401600D00008C0A0000ED03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000A48177E0468DD401600D00008C0A0000ED03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000A48177E0468DD401600D00008C0A0000EE03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000FEE379E0468DD401600D000034090000EB03000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000FEE379E0468DD401600D000034090000EB03000000000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000FEE379E0468DD401600D0000340900000300000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000FEE379E0468DD401600D000008090000FC03000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000B2A87EE0468DD401600D00008C0A0000EE03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000B2A87EE0468DD401600D00008C0A0000F003000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000B2A87EE0468DD401600D00008C0A0000F003000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000B2A87EE0468DD401600D00008C0A0000EF03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000C0CF85E0468DD401600D000030090000EB03000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000CEF68CE0468DD401600D000030090000EB03000000000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000CEF68CE0468DD401600D0000300900000300000001000000020000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000CEF68CE0468DD401600D0000300A0000FC03000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000CEF68CE0468DD401600D00008C0A0000EF03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000CEF68CE0468DD401600D00008C0A0000EB03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000CEF68CE0468DD401600D00008C0A00000304000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000CEF68CE0468DD401600D00008C0A00000304000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000CEF68CE0468DD401600D00008C0A0000FD03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000CEF68CE0468DD401600D0000D4060000FD03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
400000000000000090E298E0468DD401600D0000D4060000FD03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
400000000000000090E298E0468DD401600D00008C0A0000FD03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
400000000000000090E298E0468DD401600D0000D4060000FE03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000F86BA2E0468DD401600D0000D4060000FE03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
4000000000000000F86BA2E0468DD401600D0000D4060000FF03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
4000000000000000F86BA2E0468DD401600D0000D4060000FF03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
400000000000000090E298E0468DD401600D00008C0A0000FE03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000F86BA2E0468DD401600D00008C0A0000FE03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
4000000000000000F86BA2E0468DD401600D00008C0A0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
4000000000000000F86BA2E0468DD401600D00008C0A0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
4000000000000000F86BA2E0468DD401600D0000DC0600000404000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
4000000000000000F86BA2E0468DD401600D0000DC0600000404000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
400000000000000052CEA4E0468DD401600D00008C0A00000504000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
400000000000000052CEA4E0468DD401600D00008C0A00000504000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000052CEA4E0468DD401600D00008C0A0000F403000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
400000000000000052CEA4E0468DD401600D00008C0A0000F403000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
400000000000000052CEA4E0468DD401600D00008C0A0000F203000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
40000000000000009891C8E0468DD401600D000038090000F203000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000009891C8E0468DD401600D0000AC030000FC03000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
40000000000000009891C8E0468DD401600D000034090000F203000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
40000000000000009891C8E0468DD401600D000028090000F203000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
40000000000000009891C8E0468DD401600D000038090000F203000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000009891C8E0468DD401600D0000380900000400000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000009891C8E0468DD401600D000008090000FC03000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000009891C8E0468DD401600D0000300A0000FC03000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
40000000000000009891C8E0468DD401600D000034090000F203000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000009891C8E0468DD401600D0000340900000400000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
40000000000000009891C8E0468DD401600D000028090000F203000000000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000009891C8E0468DD401600D0000280900000400000001000000030000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
40000000000000009891C8E0468DD401600D00008C0A0000F203000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
40000000000000009891C8E0468DD401600D00008C0A00000604000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
400000000000000070530BE1468DD401600D00008C0A00000604000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
400000000000000070530BE1468DD401600D00008C0A0000F503000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000D8DC14E1468DD401600D000038090000F503000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000D8DC14E1468DD401600D000034090000F503000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000D8DC14E1468DD401600D000028090000F503000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000323F17E1468DD401600D000038090000F503000000000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000323F17E1468DD401600D0000380900000500000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000323F17E1468DD401600D000034090000F503000000000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000323F17E1468DD401600D0000340900000500000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
40000000000000000E6F0AE2468DD401600D000028090000F503000000000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000000E6F0AE2468DD401600D0000280900000500000001000000040000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000000E6F0AE2468DD401600D00008C0A0000F503000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000000E6F0AE2468DD401600D00008C0A00000704000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000A06D29E2468DD401600D00008C0A00000704000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000326C48E2468DD401600D00008C0A0000FB03000001000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
400000000000000040934FE2468DD401600D000024090000FB03000001000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
400000000000000040934FE2468DD401600D000034090000FB03000001000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
400000000000000040934FE2468DD401600D000024090000FB03000000000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
400000000000000040934FE2468DD401600D000034090000FB03000000000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
400000000000000040934FE2468DD401600D000038090000FB03000001000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
400000000000000040934FE2468DD401600D000038090000FB03000000000000050000000000000084B65B326BFF644794C989274B624F2A0000000000000000
3424
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
400000000000000040934FE2468DD401600D00008C0A0000FB03000000000000000000000000000084B65B326BFF644794C989274B624F2A0000000000000000
2740
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
CC0A000048154EE1468DD401
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
0AB89C155EF7C24E6ED1F4CD29144C0EFBEFE3513F4BA174649DFB3D0BBBEEDC
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\1cb743.ipi
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\1cb744.rbs
30707014
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\1cb744.rbsLow
3796705856
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49C4000B9E837854FA0EFD514DE0DCA8
FA8BB70F423E10745A7039A19DB7DB14
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\287F7B3E0B2E2E45D8C60455E9198F3A
FA8BB70F423E10745A7039A19DB7DB14
01:\Software\Microsoft\Windows\CurrentVersion\Run\AnalyzeMe
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50055B3652986615DB8E536278BD98C5
FA8BB70F423E10745A7039A19DB7DB14
01:\Software\UsageMonitor\InstallDir
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6A04900C9CB842C5EA7E80045EB2BA67
FA8BB70F423E10745A7039A19DB7DB14
01:\Software\UsageMonitor\HealthCheckDir
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\78016E864B4227E5F9F4C2C9E2554324
FA8BB70F423E10745A7039A19DB7DB14
01:\Software\UsageMonitor\WindowsServiceDir
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\066B1E609E85F394E989591DA7A7C273
FA8BB70F423E10745A7039A19DB7DB14
C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\949247E0F86240544BCA6BA0D3C6750A
FA8BB70F423E10745A7039A19DB7DB14
01:\Software\Microsoft\AnalyzeMe\installed
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\600ED6B764C8A085DAFC4FC548E54659
FA8BB70F423E10745A7039A19DB7DB14
02:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist\1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Program Files\AnalyzeMe\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Windows\Installer\{F07BB8AF-E324-4701-A507-931AD97BBD41}\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnalyzeMe\
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Run
AnalyzeMe
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe /StartMinimized
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\Windows\CurrentVersion\Run
AnalyzeMeHealthcheck
C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\UsageMonitor
InstallDir
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\UsageMonitor
HealthCheckDir
C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\UsageMonitor
WindowsServiceDir
C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe
2764
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\AnalyzeMe
installed
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist
1
cejmohmknogoalaebfiimmgbghdjindp
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\cejmohmknogoalaebfiimmgbghdjindp
update_url
https://clients2.google.com/service/update2/crx
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
LocalPackage
C:\Windows\Installer\1cb745.msi
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
AuthorizedCDFPrefix
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Comments
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Contact
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
DisplayVersion
2.0.3.0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
HelpLink
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
HelpTelephone
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
InstallDate
20181206
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
InstallLocation
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
InstallSource
C:\ProgramData\Package Cache\{F07BB8AF-E324-4701-A507-931AD97BBD41}v2.0.3.0\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
ModifyPath
MsiExec.exe /X{F07BB8AF-E324-4701-A507-931AD97BBD41}
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
NoModify
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Publisher
RealityMine Ltd
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Readme
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Size
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
EstimatedSize
7900
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
SystemComponent
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
UninstallString
MsiExec.exe /X{F07BB8AF-E324-4701-A507-931AD97BBD41}
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
URLInfoAbout
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
URLUpdateInfo
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
VersionMajor
2
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
VersionMinor
0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
WindowsInstaller
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Version
33554435
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
Language
1033
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
AuthorizedCDFPrefix
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Comments
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Contact
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
DisplayVersion
2.0.3.0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
HelpLink
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
HelpTelephone
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
InstallDate
20181206
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
InstallLocation
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
InstallSource
C:\ProgramData\Package Cache\{F07BB8AF-E324-4701-A507-931AD97BBD41}v2.0.3.0\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
ModifyPath
MsiExec.exe /X{F07BB8AF-E324-4701-A507-931AD97BBD41}
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
NoModify
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Publisher
RealityMine Ltd
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Readme
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Size
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
EstimatedSize
7900
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
SystemComponent
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
UninstallString
MsiExec.exe /X{F07BB8AF-E324-4701-A507-931AD97BBD41}
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
URLInfoAbout
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
URLUpdateInfo
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
VersionMajor
2
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
VersionMinor
0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
WindowsInstaller
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Version
33554435
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
Language
1033
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\A18C9A89BF94C864286F5B82AA5A59EA
FA8BB70F423E10745A7039A19DB7DB14
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\InstallProperties
DisplayName
AnalyzeMe x86 2.0.3.0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F07BB8AF-E324-4701-A507-931AD97BBD41}
DisplayName
AnalyzeMe x86 2.0.3.0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\FA8BB70F423E10745A7039A19DB7DB14
AnalyzeMe
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\Features
AnalyzeMe
eG1XamsLE=XzY%*d`t[T=k$4rHw~?CcH}ICJ}Rd]A.w&H5aj1B%%s?0r6'hE)@6ffS98]E]WFY8[1u.NeseeI~C1FF1PP4Zxc^?9~!!6%HE&V?r+]Fl&@@g5s0r_'~zM3=J'cM&uyEU[McyaO^!4ADLGOsEZ67$X
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FA8BB70F423E10745A7039A19DB7DB14\Patches
AllPatches
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
ProductName
AnalyzeMe x86 2.0.3.0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
PackageCode
39AFC4595B737A84A859D2E0400ECDF3
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
Language
1033
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
Version
33554435
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
Assignment
1
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
AdvertiseFlags
388
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
InstanceType
0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
AuthorizedLUAApp
0
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
DeploymentFlags
3
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A18C9A89BF94C864286F5B82AA5A59EA
FA8BB70F423E10745A7039A19DB7DB14
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14\SourceList
PackageName
Installer.Setup.msi
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14\SourceList\Net
1
C:\ProgramData\Package Cache\{F07BB8AF-E324-4701-A507-931AD97BBD41}v2.0.3.0\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14\SourceList\Media
1
;
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14
Clients
:
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\FA8BB70F423E10745A7039A19DB7DB14\SourceList
LastUsedSource
n;1;C:\ProgramData\Package Cache\{F07BB8AF-E324-4701-A507-931AD97BBD41}v2.0.3.0\
2764
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings
StringCacheGeneration
96
2764
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
2764
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F
2764
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2764
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2764
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2764
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
4076
UsageMonitor.WindowsService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
AutoBackupLogFiles
0
4076
UsageMonitor.WindowsService.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\AMSystemMonitorSvc
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
LanguageList
en-US
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
@%SystemRoot%\system32\p2pcollab.dll,-8042
Peer to Peer Trust
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
@%SystemRoot%\system32\qagentrt.dll,-10
System Health Authentication
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
@%SystemRoot%\system32\dnsapi.dll,-103
Domain Name System (DNS) Server Trust
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
@%SystemRoot%\System32\fveui.dll,-843
BitLocker Drive Encryption
1888
UsageMonitor.UI.App.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
@%SystemRoot%\System32\fveui.dll,-844
BitLocker Data Recovery Agent
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
UsageMonitor.UI.App.exe
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
EnableFileTracing
0
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
EnableConsoleTracing
0
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
FileTracingMask
4294901760
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
ConsoleTracingMask
4294901760
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
MaxFileSize
1048576
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASAPI32
FileDirectory
%windir%\tracing
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
EnableFileTracing
0
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
EnableConsoleTracing
0
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
FileTracingMask
4294901760
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
ConsoleTracingMask
4294901760
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
MaxFileSize
1048576
1888
UsageMonitor.UI.App.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\UsageMonitor_RASMANCS
FileDirectory
%windir%\tracing
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Left
0
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Top
0
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000007000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006A000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1888
UsageMonitor.UI.App.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000006B000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000

Files activity

Executable files
39
Suspicious files
9
Text files
135
Unknown types
10

Dropped files

PID
Process
Filename
Type
3232
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\151-windowsdesktop-release-2.0.3.0-zc--setup[1].exe
executable
MD5: 9dc670631733ecc7fa6ffc5c6515e3ac
SHA256: 69b74810457094c09a100f02de85abbe5407f8c6f54d8967a5e81bcbed2dd521
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Newtonsoft.Json.dll
executable
MD5: 40e0bb13687c18731574e95a592c9b19
SHA256: f120c1c94add91bb23bd72f9999a788e5b4474558f85fe52ca9a164aaaff213c
2892
Setup.exe
C:\ProgramData\Package Cache\.unverified\AnalyzeMeInstallerWin7x86
executable
MD5: 92af49dbb7c773a739f20ab2170ae69e
SHA256: 32860ea89c589bca09e5d6a3fe70c3c0e21bbecadb72a942c35d3fc3b4dc3942
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.CPUID.SDK.dll
executable
MD5: 1fda8758e5bb110a6ee5ebebfe3ab7b1
SHA256: 06d1b6bf00c480e0afa825a542a9c3bcccd01a237299d75863cbe3a649fa9564
2892
Setup.exe
C:\ProgramData\Package Cache\{F07BB8AF-E324-4701-A507-931AD97BBD41}v2.0.3.0\Installer.Setup.msi
executable
MD5: 92af49dbb7c773a739f20ab2170ae69e
SHA256: 32860ea89c589bca09e5d6a3fe70c3c0e21bbecadb72a942c35d3fc3b4dc3942
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
executable
MD5: 0282f693dcfbcd76286fe1f4b9ff378f
SHA256: c8ddb7988c63cf490b71066ba2f766d1415fe3e4a73985f6e40d2720ea3f7e3f
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.be\Setup.exe
executable
MD5: fdf647f06f8c90cd3c3700b3dd3bd365
SHA256: f3c0084f5b0c734c91216f04bbf449ef0f9def3787d5bcf752017c4edc14664c
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.Library.dll
executable
MD5: 64b3f96faf59460ed7c2bd017f42b048
SHA256: f7e67063b5bcc7dcb86475744333eb113ae181ab6e9b73c7482d132502105e36
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\BouncyCastle.Crypto.dll
executable
MD5: d2174be3b3b7f1df738795e924acd952
SHA256: cb533a19dea4f84ca1382fc92a6f6bd9bbc241bdf2b24bc3262d9f23f6d7c3c7
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.Utilities.dll
executable
MD5: a7e4556709ea3204a9596a0978aba5a0
SHA256: 7d96aae798b7eb5252f753f5f3507b722b4f38f8548d6c3f23621e652d1f315c
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Nancy.dll
executable
MD5: 30b1a91c1db594edabcffacc2efd0d7b
SHA256: 5c35540a0c9e61a993de2eab074abc9f819b5baf0770bf295069ea97d591a7bb
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\UsageMonitor.Utilities.dll
executable
MD5: 8dbc5ba53755e21e93decf4808f9e3e8
SHA256: 05aab701baef729aa12e3f61f7936a46bf8222f6e167ff48c7c43d32ecd3d39b
2764
msiexec.exe
C:\Windows\Installer\1cb741.msi
executable
MD5: 92af49dbb7c773a739f20ab2170ae69e
SHA256: 32860ea89c589bca09e5d6a3fe70c3c0e21bbecadb72a942c35d3fc3b4dc3942
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe
executable
MD5: e001413ff76277eb51457dd8ae3c25eb
SHA256: 1977f816dc03cc0cc17ee14409f5243dd19169827a2fbf9bbe96d5eb7f6353d9
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Nancy.Hosting.Self.dll
executable
MD5: 6205ddb485c48ab0cec8a47c2d655cd7
SHA256: 34e9bef180f32b122490d0f59ec0ac1edcf62bb706890af8c6681cfc14a6d6a4
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\BootstrapperCore.dll
executable
MD5: 6720b58841b9217a2960c7f2d2b8ce2d
SHA256: 11355cec155129d0343a44512cb9c601d96f9014d7a3a1a5fc7ead8e84d003dc
2764
msiexec.exe
C:\Windows\Installer\MSIBA8E.tmp
executable
MD5: a0962dd193b82c1946dc67e140ddf895
SHA256: b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
2764
msiexec.exe
C:\Windows\Installer\1cb745.msi
executable
MD5: 92af49dbb7c773a739f20ab2170ae69e
SHA256: 32860ea89c589bca09e5d6a3fe70c3c0e21bbecadb72a942c35d3fc3b4dc3942
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Microsoft.Windows.Shell.dll
executable
MD5: 8c57270aea8639e85b31749b0cc0a732
SHA256: b6e0b3380cd45473f36d3fd822b85591bc2f7d0a1475355dc35e978f412522c4
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbapreq.dll
executable
MD5: 36b53c5299a3b39e5c9cdbbd28a09506
SHA256: 97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
executable
MD5: 39af0cb9f033926cfd244ace0aafa911
SHA256: 8f7ba6ff46523745d4b686da72320b8e10b15d4065706688c8ddeb4cd6c0a21a
2892
Setup.exe
C:\Users\admin\AppData\Local\Temp\DELF072.tmp
executable
MD5: fdf647f06f8c90cd3c3700b3dd3bd365
SHA256: f3c0084f5b0c734c91216f04bbf449ef0f9def3787d5bcf752017c4edc14664c
2764
msiexec.exe
C:\Program Files\AnalyzeMe\BouncyCastle.Crypto.dll
executable
MD5: d2174be3b3b7f1df738795e924acd952
SHA256: cb533a19dea4f84ca1382fc92a6f6bd9bbc241bdf2b24bc3262d9f23f6d7c3c7
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\Installer.BootstrapperApplication.dll
executable
MD5: 18d6a804fd211686a030f9719a7ac958
SHA256: f8f027e1e38b1da97705eabf2bdf1cc4541c080dbf76f98a5af75e066a84f9b3
2764
msiexec.exe
C:\Program Files\AnalyzeMe\cpuidsdk.dll
executable
MD5: ab7e628e80b6f7ae15fa1a728cee3e5a
SHA256: 9b466a6f4c2e8481df962b68cbf78f25049b361d3c8aaea78162df0aae12f5d3
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\DELF0FF.tmp
executable
MD5: 6720b58841b9217a2960c7f2d2b8ce2d
SHA256: 11355cec155129d0343a44512cb9c601d96f9014d7a3a1a5fc7ead8e84d003dc
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Elysium.dll
executable
MD5: a9ef2a4dea59693a9846be4c050d3f92
SHA256: ccb3f17baf75a558c45d7098a00e523a3fb2439fc1153ab4019db630fd2d7956
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbahost.dll
executable
MD5: 72aad48433f2fadff1369750cba0bf89
SHA256: 0f27d7cb7d073f90f2d5cbe8a7b5f84792b15eb9bd60301da2fdd7ac5a7a564a
2764
msiexec.exe
C:\Program Files\AnalyzeMe\cpuidsdk64.dll
executable
MD5: fc6306c4327784d834e0b6637d1db46f
SHA256: 759b35f5be67a59234cb3988ebba93709afccd0fe469c17fefaeb0cbe7fbdecb
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\DELF10F.tmp
executable
MD5: 18d6a804fd211686a030f9719a7ac958
SHA256: f8f027e1e38b1da97705eabf2bdf1cc4541c080dbf76f98a5af75e066a84f9b3
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Microsoft.Expression.Drawing.dll
executable
MD5: 5bd39a82aacf1aa423e6eeeeda696eea
SHA256: 1d69eaf538008e0fe1a7eb2ce0124a49b95c491797749640c8351ed4643f5c97
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\serveFile[1].exe
executable
MD5: 9dc670631733ecc7fa6ffc5c6515e3ac
SHA256: 69b74810457094c09a100f02de85abbe5407f8c6f54d8967a5e81bcbed2dd521
2764
msiexec.exe
C:\Program Files\AnalyzeMe\Hardcodet.Wpf.TaskbarNotification.dll
executable
MD5: 3fe79aa10b54b5ed58567918a6928166
SHA256: 8826eb989f55f0d8f545d4b421931fa4a923ab190c05ca76683916bcee63c6ab
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\DELF111.tmp
executable
MD5: 8dbc5ba53755e21e93decf4808f9e3e8
SHA256: 05aab701baef729aa12e3f61f7936a46bf8222f6e167ff48c7c43d32ecd3d39b
2764
msiexec.exe
C:\Program Files\AnalyzeMe\FiddlerCore.dll
executable
MD5: e12dc991dbd28a65ed5ef5418b64df63
SHA256: 4d81b34c73efe9ac15d62d5bc41aa9909e7651c16ee2141692567638387c8647
2764
msiexec.exe
C:\Program Files\AnalyzeMe\HtmlAgilityPack.dll
executable
MD5: ca2b33482d2c53db9b249d21ee97a74b
SHA256: 5c7d0c4e0ae3b15a25fe5791863bd39c1474bdee9ffaee97ba07f2c2790e1b13
2764
msiexec.exe
C:\Program Files\AnalyzeMe\ICSharpCode.SharpZipLib.dll
executable
MD5: c8164876b6f66616d68387443621510c
SHA256: 40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
2764
msiexec.exe
C:\Program Files\AnalyzeMe\ManagedWifi.dll
executable
MD5: 55151c40e6cfd0a7bc91d6d440e89308
SHA256: a883042101a92d1cacb1a488421c3ba834d166640c53f6137d9d8783028f7d17
2892
Setup.exe
C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\Setup.exe
executable
MD5: fdf647f06f8c90cd3c3700b3dd3bd365
SHA256: f3c0084f5b0c734c91216f04bbf449ef0f9def3787d5bcf752017c4edc14664c
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: a64ffc6f7e6eeae5c4c60e34ef62975f
SHA256: 228310bc73e526553d4bc516110947c8476b6a45818e6664dd47a06eab6c2097
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmp1CF3.tmp
––
MD5:  ––
SHA256:  ––
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\AnalyzeMe_20181206093356.log
text
MD5: 36e77bea491c142ef22dfe332d55a96e
SHA256: 4ffceaa6403b6b4990007f0d697f64c547eaecd08ffa218bb2fedfef8c33cbac
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmp409B.tmp
––
MD5:  ––
SHA256:  ––
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E02357FC7708441D4B0BE5F371F4B28961870F70
binary
MD5: 795de526d402a50cbac580aa44c407b3
SHA256: e0e61e7bdd32ea47f0619f671ec6cbe6efab051ab8ecb4490954cce14fb53f29
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\AnalyzeMe\InternalSettings.xml
text
MD5: 4f7f863f225bb49c04545d45a82f4722
SHA256: ef4400d72e538d76d3add34d0fb27db4d12791b571f741f1050f98d7f546b45e
3044
serveFile[1].exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\extensions\{8D8ABF0C-6469-48A0-8002-65FEF50A8464}.xpi
compressed
MD5: 829bb618a02b1511efdb95ac6b381be9
SHA256: 9c44e9221a50b4eb8033f8726abc36fbef926d0dd1e34140ae21c7e8379b2362
2892
Setup.exe
C:\Users\admin\AppData\Local\Temp\AnalyzeMe_20181206093356_0_AnalyzeMeInstallerWin7x86.log
txt
MD5: c843b84d96bcd9283dc079b4a3e8ef0a
SHA256: 2f3937f1128ddab01ede5f435c5095453905c623cf45fd634abfccea8c4b23a2
2764
msiexec.exe
C:\Users\admin\AppData\Local\Temp\AnalyzeMe_20181206093356_0_AnalyzeMeInstallerWin7x86.log
txt
MD5: c843b84d96bcd9283dc079b4a3e8ef0a
SHA256: 2f3937f1128ddab01ede5f435c5095453905c623cf45fd634abfccea8c4b23a2
2764
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFAA4C28043A38DBA1.TMP
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\Windows\Installer\1cb743.ipi
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\Config.Msi\1cb744.rbs
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe.config
xml
MD5: dc8bbb197818c3ca5b7462e2c0ba3094
SHA256: af48abba4dfca7c347df7ca82a7cff17cab1fe5fa2390caa9c4c382bbeeda310
2764
msiexec.exe
C:\Program Files\AnalyzeMe\app.manifest
xml
MD5: 2c9fe29e93505d065f1a97b99b9a5d12
SHA256: 321bd8ba550d5e689a36a4a51b8ee524a442950154486cd83d091c0ad74a078f
2764
msiexec.exe
C:\Windows\Installer\MSIBA3F.tmp
binary
MD5: 6ad5194549559a1ed3cf1b2e52dcf3b0
SHA256: 3a2baa0c44f5d2bbadc1b9d6542ef938026004841c5f2bd3b419c885780ce79d
3424
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpF529.tmp
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFCF51C32269FF43A2.TMP
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\Windows\Installer\MSIC02E.tmp
––
MD5:  ––
SHA256:  ––
2764
msiexec.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnalyzeMe\AnalyzeMe.lnk
lnk
MD5: 82232ae6eed89d55fc6c9c761d6aefb3
SHA256: 0b9b616e76a90968acfff1721d2c7cf039decab7bd09cf444e66b534fde40213
2764
msiexec.exe
C:\Windows\Installer\{F07BB8AF-E324-4701-A507-931AD97BBD41}\StartMenuIcon
image
MD5: bd1454e33addb2086e83fe4e80b1bb10
SHA256: 0b63a8132606417f7567fa23021cb76f1b3f44bb608736c8c71b137dbfbc130d
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\AnalyzeMeInstallerWin7x86
––
MD5:  ––
SHA256:  ––
2892
Setup.exe
C:\ProgramData\Package Cache\{c246614a-ee40-4deb-a5bc-b0878350f06f}\state.rsm
smt
MD5: 2f0d1111f5e379add7e58071d2728222
SHA256: 8dd1a99c6e4780f7605f9d5c316808f04a5aaadba029fca03defa642a281fb4c
2764
msiexec.exe
C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe.config
xml
MD5: 7c58957601db762096b5272f8e784792
SHA256: 9a91b0a90778c0f84c2da80508056f0a6c795f852451cd76a1bde590b2bdab6d
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 89c588875d389d088dcac3732d421079
SHA256: 293d8703618dfbe1f99bcc3ceeaadec560e7b6f13618b05a1f78ecd37550ece9
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 9fd57198b835d1df1d44935ebae5bdfa
SHA256: 8bfb5759681c6e74806d737a27af3327a3027d49eb918492abaaa2f098173e08
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 0f69bde7ea16d866d9ad06a8c06575d7
SHA256: cb4b2efec6558bffdeeac0ee6d62556eff65f20d319169d67ae76ecba725c750
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: e89d162d2848cea6c1afcf1ebc9e4b6a
SHA256: 7fb065fc142d56dd64272308e15fb1281c42892f0ff23ac9b7052eabae63a643
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: fac7586dce58ba57622d0a528896c19a
SHA256: 616db1ce4f682e7ef1832452efe6ee088f6a2cccf01c96d6c13afcb9a501dfcb
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: e4829bbee6c29e0f2bc91c758f460692
SHA256: 7848d8936578aac6f4a8ddbd206c1ccd23daf16b2a6974776aeb5088d1c72a7c
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: d6ca85cf4a520319416864891c763ecc
SHA256: 7db00cc45fe47ef1fa085dda08b5d713268a57511a41dd6eb210aeb182bb1c67
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 85d24b203b4dfff8484aa5954efa1694
SHA256: 2016ccbee347994a68542502252e5c213053efb1196d047fb0c1f131bddd45a9
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 1bdaee6412f3e7fd00e5d72f90266a3f
SHA256: d8e8345250752afa2d6f85e88a84be0f75b5c04a156d8aec9dfeb6ddf1359d57
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 699f0056af142216d1042eabceea552e
SHA256: ea497011635631a922502a667d338e0dd634a31fb6fd7c6651e276f0827c91ba
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: ab9a8a5703f978a08bed85aca00aeff9
SHA256: 62b3b865f8e8b2d8881ba3de209e3bcdec73fa7112e526bfbbf8753fbcd38a28
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 26b53c51334f8c1c205f2b2ddb263c26
SHA256: e7df932ebf2f607d8468596f533b4edcb257bf654e3689c3fb3dbe7dafa3589b
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 078cb849d934795bb794d017860ac1c7
SHA256: b4d5405cc57f8ab0f7ab6b446e0d0b65add363c458fe4932eae3ad2d29985d14
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 6b513511b5068656af694d647739e311
SHA256: 79cab33a3d9970d650eb4d7e43623cb4d62a554004d516bea7dacb32d40dee7b
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 717e21da72d06079acd1154676733c6e
SHA256: e0d4a960d4779acbb25fef515d17233db131b4c6b2d682ff52874c3d528e0134
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 254a8f5cd5b673e52a72082250b49058
SHA256: 6609c7d7fb276ba42cd4cc8b46d4b9eb55b95142cd6ba17f6d5a5eccb3eaedb8
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: ab53e8512938ad3349c5e64e30b5aa04
SHA256: a7c473bcc10b86d4851ae65839e757a81d70511725c2f87373ebbcbbd8b2487e
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: f4be976d909dae2fc2445c9a72838c59
SHA256: c71233bbed2771e855d8a181c00210f2028d7416cbb169583bfaaaefe49c1151
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: bb57b008518e66696ee5329e0d6690be
SHA256: 1104ad9ff201007394297a24be6e763bfa2e41cb013cb89b3a5a4a23d8241705
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: d2feeeb071c8053fd277b0b66258e8d6
SHA256: 2ad71289de17f009ab0d0e061ca06429ddbb59f434de955f026dbff388109c87
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 6e5c9ba72806ef7046aecd7a5af6588d
SHA256: 0712ad7d78108c95b418ff0aa7848e85d572f1c390a3bf041756aa33f652b13f
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 5e8c923281e7be9dd555ea567029be87
SHA256: 065280e31464c93dffe0a0d4f629cae15cd3eca843380c08393c6784a2ddaf92
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 3f61d2eb4646ce2e38c981d1091946a7
SHA256: 2412e154c584d2d909466966494da1dab4dc97f92f3723853fc7895c0385b313
2740
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 76dcc60f78b3dff1ae3627619074f465
SHA256: 18541ac1875315c4f9eff75050c574faff83717c029dae6b366f9c6c3f0c19e0
2740
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: d056e2b0c460e61cba3b2475079a468e
SHA256: ecc25189e3ffd7ca5d6527657e13b14394ebaea8183ff52743c0656f0be67551
2740
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: ef41b7e9c0e21af0593d70b948a6caf4
SHA256: cbf7f442d593849ccc8a3488a0a09d35a9fbfeb17752864a0006e2798dd88441
2892
Setup.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2892
Setup.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{325bb684-ff6b-4764-94c9-89274b624f2a}_OnDiskSnapshotProp
binary
MD5: a22cce6b49fef31f829d01b5d50b83da
SHA256: 06c4d4b8a4094a9695cdd44f610f7928c6587306fab75743a0dd7a68bdfc3756
2892
Setup.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: a22cce6b49fef31f829d01b5d50b83da
SHA256: 06c4d4b8a4094a9695cdd44f610f7928c6587306fab75743a0dd7a68bdfc3756
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\3wasey4m.dhn\t4xq05dh.r1l\Publisher.rfvgwcq1bhtjflkpxbgzk4ee1ysgngr0\identity.dat
pi2
MD5: c401fade404b886ace60457a457d0744
SHA256: e7b104c1bce8eb8a9ec713b4e1795efbbd3f0028a4bcb7375d03b335ae491fd0
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A414E9ED-F939-11E8-BAD8-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
2952
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFDA4591569CB89C44.TMP
––
MD5:  ––
SHA256:  ––
3232
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: d65533ca19d3b23f648310da1f580f3d
SHA256: 21f898e4bab783f445a6ee3a7b077277894accc1ebab607726fc34b041261d45
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\AnalyzeMe\Settings.xml.bak
text
MD5: 56c7cc3da8692ae64a1ad54d66600dc6
SHA256: 0132d488e7186744ae8cab73c9e9759b107cbf7467e652dd415c234a16290c31
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\BootstrapperApplicationData.xml
xml
MD5: 62e7df0e1370664b5eb5a5a233593708
SHA256: f02c717fde359df1fb7d927750e514d411ab0077890791aed74a357a5287544d
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\3082\mbapreq.wxl
xml
MD5: 6fcbb73c04bebbe421824e18b9665609
SHA256: bdf44a835be92644bbcf1e7e3302ab7284ce5508fe614d4b7218b4608efca220
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\BootstrapperCore.config
xml
MD5: cd4749903108d0d164c8df3621b98668
SHA256: 4e5c5ae38b18cca84586b1c826b99877cc81c640fc3b2fe6fa14c858dd61ca54
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1046\mbapreq.wxl
xml
MD5: f96b3463b3d35f1f169238c737a62897
SHA256: ebc2bf04a4f378aea26e5cb9f4ad334f3713dc36a4a98056e8384c87a33cda4d
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\2070\mbapreq.wxl
xml
MD5: a71ae7998b25da159a1423e7b302c2df
SHA256: be8e22b102a9a21ae392d5e381eeab13910a2d70f8f0b1fcc3683629b336439c
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\AnalyzeMe\Settings.xml
text
MD5: 56c7cc3da8692ae64a1ad54d66600dc6
SHA256: 0132d488e7186744ae8cab73c9e9759b107cbf7467e652dd415c234a16290c31
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1043\mbapreq.wxl
xml
MD5: d82150bee4cc7cebffa96cdf3762e320
SHA256: 41d9d9363935702730a09fa9fedf730cebc51db962e05fa4b05841840895c92c
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1049\mbapreq.wxl
xml
MD5: de00c27af7c2a65a128e52bb0c86d996
SHA256: d47a140dcd36d438d5c72b5ff1725dbfabe09bd4214f553ed52df9a4d2bd6c37
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1042\mbapreq.wxl
xml
MD5: 4d530fbcd8a7cf63a60d2d2e79c7880e
SHA256: 00a5f823904e2d6849bb82f2170e798eb33898317fec7c39e2aac2452b900667
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1045\mbapreq.wxl
xml
MD5: d62430f31ca6b21562591a6cc6ec134f
SHA256: a64afbd95664554ccf6eae2b5a45161cd1b0da7cdfd0874df0bd547968e5bc89
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1051\mbapreq.wxl
xml
MD5: d4146ac0ae133acab276bf9f9b70915f
SHA256: f944fe7d8473ed6a0b0560a52204199a364b0542d25a2a5dcf85dda66763620a
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1053\mbapreq.wxl
xml
MD5: ccd806e21aad31e3083e8e611d60f672
SHA256: a17d2de5cc82a44c8d69013cedffe05a20b24af1d5e46d30bf54fd5306d7c972
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1055\mbapreq.wxl
xml
MD5: b0d8de284b2c7a37a72c2acc08a85a18
SHA256: 705ae382f2adbc7cf43ae22330d49ba0ab86bbf5e8a11ba466e37a851dee7661
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1044\mbapreq.wxl
xml
MD5: de3ace5cd8e4ce57b6d3379ae9e66540
SHA256: ae7aa89299f00e43364d2627b46b78dc04f80279d8a0d905a8517c322115d21f
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1060\mbapreq.wxl
xml
MD5: fb797985dbd06b555a8ab8e43a0dd8e9
SHA256: 8e069b1722a4fc499c545a6cc0827d83b017ef6adfc59b8d06da501eb0a3bffe
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\2052\mbapreq.wxl
xml
MD5: 1aa634ddfb2b46c72b9fa7f59ca2f533
SHA256: ff8b6c6ba9a5c1806b4540158c01a87a5cd1830359020141af4e174c55f20b81
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpF40F.tmp
––
MD5:  ––
SHA256:  ––
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpF3FE.tmp
––
MD5:  ––
SHA256:  ––
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\SplashScreen.bmp
image
MD5: 2d7ea96a0248318142ee047d5a49d096
SHA256: 38b49c4b5c0892f79ea254bb127bb895f0d7ee6792255f8a83e27faf1839daa5
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\Firefox.xpi
compressed
MD5: 829bb618a02b1511efdb95ac6b381be9
SHA256: 9c44e9221a50b4eb8033f8726abc36fbef926d0dd1e34140ae21c7e8379b2362
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1038\mbapreq.wxl
xml
MD5: f40a084c4b41d752a5c518d62abd12e2
SHA256: 43e00163c060a09c66ae65bdabd5a9943c55bbe8d11f8ddf95ba20008a605075
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1040\mbapreq.wxl
xml
MD5: f7aba1307da91170e6e130e4f4b7e78c
SHA256: ad4cf22947472ffd62f5e854bc3c0f6cf3439cc2c321c2bd3a1a2a6e167a53f6
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\InstallerLargeIcon.ico
image
MD5: bd1454e33addb2086e83fe4e80b1bb10
SHA256: 0b63a8132606417f7567fa23021cb76f1b3f44bb608736c8c71b137dbfbc130d
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbapreq.thm
xml
MD5: 8d0fca899786568009d0c06bd02c9aab
SHA256: 2f5346eacc04092fec722d91f35f35d747404293bcacac67b9b3da015c1f8378
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1028\mbapreq.wxl
xml
MD5: 62a014e7a1a170edfde6eb539588ca88
SHA256: 106555dd49231ffb9fab7e74043d3874448894782dc216c3fdd341abdd050146
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1032\mbapreq.wxl
xml
MD5: 9c21e76357218d33613174538eea4120
SHA256: 166801eff4a826bf1b50cd24c0be4b51717cc2b00f793fbc8cd8ab4b9ad6730b
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1036\mbapreq.wxl
xml
MD5: c3b54df5ec1503888abf1d4153c0a789
SHA256: c5f1d0966ef658437b9c47056c01b479a988339593c7416a4e5a35417d44e7ab
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1029\mbapreq.wxl
xml
MD5: 919854d3a8415386d0da32df164bd5fc
SHA256: ae9f8e1a8856b18bacf51a7d9b949af6ae7bef4631479709b8aaac17dd0410b1
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbapreq.wxl
xml
MD5: 16d2bd521ac2acd7bd590a9b35f843df
SHA256: 84d8c544a8e320bd4eb3472a582326142d7ca86794b930fe983c3822a6acf263
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1041\mbapreq.wxl
xml
MD5: 14a1279359281b86936e9bd3921829df
SHA256: 13635769db1f48f0e5226721268b0ff2ba3f8b391da13d877c9caae08d4c58c1
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1035\mbapreq.wxl
xml
MD5: d16da30005059d92e295c50d145aa066
SHA256: 3dbd6bc3779f577af30ee5005581f5c0b1c503f859502be076ce49a15f73de55
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1031\mbapreq.wxl
xml
MD5: 8f20f95b91954ed6da50324f870dd5fb
SHA256: 19690c6f750082042121d3d3fd23caac94732566a411fa45287ae772a5724064
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\mbapreq.png
image
MD5: a356956fd269567b8f4612a33802637b
SHA256: a401a225addaf89110b4b0f6e8cf94779e7c0640bcdd2d670ffcf05aab0dad03
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\1030\mbapreq.wxl
xml
MD5: aa3e13a2daa064e8da8cf2f4acc25900
SHA256: 90680e9500a2014137d92ea0988b92ec34648d6826f18c9646a318e26bd1a511
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\AnalyzeMe\TimeCorrectionSettings.xml.bak
text
MD5: 218bbd5e6a1b67dcefc832a289725c4d
SHA256: 2b5c2b60f8a5ae83732c4e187148fad989e2be67eb2ecc9d4f250d92220f0f0f
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\IsolatedStorage\AnalyzeMe\TimeCorrectionSettings.xml
text
MD5: 1c349bffc05092e10759e959e8d84e15
SHA256: 40054fb229e1285201b96210eb5aa7cb7757affb9f62c6406936c7e595254dd2
3044
serveFile[1].exe
C:\Users\admin\AppData\Local\Temp\{c246614a-ee40-4deb-a5bc-b0878350f06f}\.ba1\LogoTitle.png
image
MD5: 8110037d06aaf0d144d5bbb010298b72
SHA256: 18b4fefbab5449f4e118adda19a5ab2735724610245f2412ba9350a4e45618eb
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.dat
dat
MD5: 5dc3a3b3fa868eb12e57746c9566a329
SHA256: 8048f5491ad27f7995d996deb6881969d4b794dd55b09c909968070a26b93032
3232
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.dat
dat
MD5: 95fd0a7753fe49ecd89e3af88c388b3a
SHA256: afba152d28493870289bcd1dd74e9389f2ae8c754b51c07397afcf14b490f56f
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\151-windowsdesktop-release-2.0.3.0-zc--setup[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\serveFile[1].exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpF3EE.tmp
––
MD5:  ––
SHA256:  ––
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpF3DD.tmp
––
MD5:  ––
SHA256:  ––
2952
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A414E9EE-F939-11E8-BAD8-5254004A04AF}.dat
binary
MD5: a95ae4aa4bb9dad786895868f69933f7
SHA256: 9d85ce19382844ed268d3a126396552075659756b3c4b32b0b2e7cf6402d8c3e
2952
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF78A123196C332999.TMP
––
MD5:  ––
SHA256:  ––
3232
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2952
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2952
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1888
UsageMonitor.UI.App.exe
C:\Users\admin\AppData\Local\Temp\tmpFB8F.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2952 iexplore.exe GET 200 13.107.21.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3232 iexplore.exe GET 302 52.211.91.170:80 http://q.rmine.co/p/serveBinary.php?platform=windowsDesktop&version=2.0.3.0&brandId=151&status=release&update=true IE
––
––
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2952 iexplore.exe 13.107.21.200:80 Microsoft Corporation US whitelisted
3232 iexplore.exe 52.211.91.170:443 Amazon.com, Inc. IE unknown
3232 iexplore.exe 52.211.91.170:80 Amazon.com, Inc. IE unknown
1888 UsageMonitor.UI.App.exe 54.77.147.229:443 Amazon.com, Inc. IE unknown

DNS requests

Domain IP Reputation
www.bing.com 13.107.21.200
204.79.197.200
whitelisted
q.rmine.co 52.211.91.170
52.19.52.232
unknown
www.analyzeme.net 54.77.147.229
unknown

Threats

No threats detected.

Debug output strings

No debug info.