General Info

URL

http://securehub.top/files/DLK.msi

Full analysis
https://app.any.run/tasks/34532eb7-ddb5-4883-aad6-e8594444b15d
Verdict
Malicious activity
Threats:

Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine. It was developed in one of the ex-USSR countries.

Analysis date
11/8/2019, 17:36:51
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

exe-to-msi

loader

trojan

lokibot

Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • Uha.exe (PID: 2468)
  • Uha.exe (PID: 2552)
  • Kkzec93.exe (PID: 3832)
  • Hyp.exe (PID: 3924)
  • Kkzec93.exe (PID: 616)
  • Hyp.exe (PID: 3080)
Downloads executable files from the Internet
  • Hyp.exe (PID: 3080)
  • iexplore.exe (PID: 3744)
Detected artifacts of LokiBot
  • Hyp.exe (PID: 3080)
Changes the autorun value in the registry
  • Uha.exe (PID: 2552)
  • Hyp.exe (PID: 3924)
LOKIBOT was detected
  • Hyp.exe (PID: 3080)
Connects to CnC server
  • Hyp.exe (PID: 3080)
Actions looks like stealing of personal data
  • Hyp.exe (PID: 3080)
Creates files in the user directory
  • Uha.exe (PID: 2468)
  • Hyp.exe (PID: 3080)
Executable content was dropped or overwritten
  • Hyp.exe (PID: 3080)
  • iexplore.exe (PID: 3744)
  • msiexec.exe (PID: 2788)
  • iexplore.exe (PID: 1296)
  • Kkzec93.exe (PID: 616)
  • MSIFC2F.tmp (PID: 460)
Executed as Windows Service
  • vssvc.exe (PID: 1160)
Drop ExeToMSI Application
  • iexplore.exe (PID: 1296)
  • iexplore.exe (PID: 3744)
  • msiexec.exe (PID: 2788)
Starts Microsoft Installer
  • iexplore.exe (PID: 1296)
Loads DLL from Mozilla Firefox
  • Hyp.exe (PID: 3080)
Starts itself from another location
  • Kkzec93.exe (PID: 616)
  • MSIFC2F.tmp (PID: 460)
Application launched itself
  • Kkzec93.exe (PID: 3832)
Creates files in the program directory
  • Hyp.exe (PID: 3080)
Starts application with an unusual extension
  • MSIFC2F.tmp (PID: 2280)
  • msiexec.exe (PID: 2788)
Application launched itself
  • iexplore.exe (PID: 1296)
Changes internet zones settings
  • iexplore.exe (PID: 1296)
Reads Internet Cache Settings
  • iexplore.exe (PID: 1296)
  • iexplore.exe (PID: 3744)
Application was dropped or rewritten from another process
  • MSIFC2F.tmp (PID: 2280)
  • MSIFC2F.tmp (PID: 460)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 1160)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Processes

Total processes
48
Monitored processes
13
Malicious processes
7
Suspicious processes
3

Behavior graph

+
start drop and start drop and start download and start drop and start iexplore.exe iexplore.exe msiexec.exe no specs msiexec.exe vssvc.exe no specs msifc2f.tmp no specs msifc2f.tmp hyp.exe #LOKIBOT hyp.exe kkzec93.exe no specs kkzec93.exe uha.exe uha.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1296
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" "http://securehub.top/files/DLK.msi"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\mpr.dll

PID
3744
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1296 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\version.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wship6.dll
c:\windows\system32\uxtheme.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\sxs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\msiexec.exe

PID
2184
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\DLK[1].msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
2788
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\installer\msifc2f.tmp
c:\windows\system32\devrtl.dll

PID
1160
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2280
CMD
"C:\Windows\Installer\MSIFC2F.tmp"
Path
C:\Windows\Installer\MSIFC2F.tmp
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Bitcore
Description
BES
Version
1.00
Modules
Image
c:\windows\installer\msifc2f.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

PID
460
CMD
"C:\Windows\Installer\MSIFC2F.tmp"
Path
C:\Windows\Installer\MSIFC2F.tmp
Indicators
Parent process
MSIFC2F.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Bitcore
Description
BES
Version
1.00
Modules
Image
c:\windows\installer\msifc2f.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\admin\eph\hyp.exe

PID
3924
CMD
"C:\Users\admin\eph\Hyp.exe"
Path
C:\Users\admin\eph\Hyp.exe
Indicators
Parent process
MSIFC2F.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Bitcore
Description
BES
Version
1.00
Modules
Image
c:\users\admin\eph\hyp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
3080
CMD
"C:\Users\admin\eph\Hyp.exe"
Path
C:\Users\admin\eph\Hyp.exe
Indicators
Parent process
Hyp.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Bitcore
Description
BES
Version
1.00
Modules
Image
c:\users\admin\eph\hyp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\roaming\kkzec93.exe

PID
3832
CMD
"C:\Users\admin\AppData\Roaming\Kkzec93.exe"
Path
C:\Users\admin\AppData\Roaming\Kkzec93.exe
Indicators
No indicators
Parent process
Hyp.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
alcATEL
Description
FAC
Version
1.00
Modules
Image
c:\users\admin\appdata\roaming\kkzec93.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

PID
616
CMD
"C:\Users\admin\AppData\Roaming\Kkzec93.exe"
Path
C:\Users\admin\AppData\Roaming\Kkzec93.exe
Indicators
Parent process
Kkzec93.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
alcATEL
Description
FAC
Version
1.00
Modules
Image
c:\users\admin\appdata\roaming\kkzec93.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\admin\rea\uha.exe

PID
2552
CMD
"C:\Users\admin\REA\Uha.exe"
Path
C:\Users\admin\REA\Uha.exe
Indicators
Parent process
Kkzec93.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
alcATEL
Description
FAC
Version
1.00
Modules
Image
c:\users\admin\rea\uha.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
2468
CMD
"C:\Users\admin\REA\Uha.exe"
Path
C:\Users\admin\REA\Uha.exe
Indicators
Parent process
Uha.exe
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
alcATEL
Description
FAC
Version
1.00
Modules
Image
c:\users\admin\rea\uha.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\winmm.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
1286
Read events
1045
Write events
233
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
1296
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019092020190921
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{FFE04711-0245-11EA-AB41-5254004A04AF}
0
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E3070B0005000800100025000600D003
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E3070B0005000800100025000600D003
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E3070B0005000800100025000700B300
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
7
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070B0005000800100025000700D200
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
39
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E3070B00050008001000250007001101
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
27
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E3070B0005000800100025000C005F0100000000
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019110820191109
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019110820191109
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019110820191109
CachePrefix
:2019110820191109:
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019110820191109
CacheLimit
8192
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019110820191109
CacheOptions
11
1296
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019110820191109
CacheRepair
0
3744
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
3744
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019110820191109
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019110820191109
3744
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019110820191109
CachePrefix
:2019110820191109:
3744
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019110820191109
CacheLimit
8192
3744
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019110820191109
CacheOptions
11
3744
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019110820191109
CacheRepair
0
2788
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
2788
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B
2788
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2788
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2788
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2788
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000EA3D24C65296D501E40A0000E8060000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000044A026C65296D501E40A0000E8060000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
33
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000FA9B83C65296D501E40A0000E8060000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000AE6088C65296D501E40A0000E4040000E8030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
4000000000000000DE7AA6C75296D501E40A0000E4040000E8030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000FEEA29CD5296D501E40A0000E8060000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000FEEA29CD5296D501E40A0000E8060000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
400000000000000028603FCD5296D501E40A0000E8060000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000F87252CD5296D501E40A0000EC010000E9030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000D6AC6CCD5296D501E40A0000EC010000E9030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000D6AC6CCD5296D501E40A000094050000F9030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000989878CD5296D501E40A000094050000F9030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000004C5D7DCD5296D501E40A0000E80600000A040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
40000000000000005EF234CE5296D501E40A0000D80800000A040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
40000000000000005EF234CE5296D501E40A0000E8060000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
40000000000000005EF234CE5296D501E40A0000E8060000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
33
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
EA3D24C65296D501
2788
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
E40A00009CCBD0C55296D501
2788
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
A580DCCB1F13FC2D2F791B1F33B6A9F06346DCAC299CB82393A1ACC4B4C6F38D
2788
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\39f53a.ipi
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\39f53b.rbs
30774866
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\39f53b.rbsLow
3477387664
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\858132C493B23D11E8D0000CF486730D
7137FE921ACD9514792B8C38DA04A06C
2788
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000E6FCA4C65296D50188040000A8050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000E6FCA4C65296D50188040000280C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000E6FCA4C65296D50188040000380C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000E6FCA4C65296D5018804000018070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
40000000000000004E86AEC65296D50188040000380C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000004E86AEC65296D50188040000280C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000024BB3C65296D50188040000A8050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000005CADB5C65296D5018804000018070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000F87252CD5296D501880400001807000001040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000F87252CD5296D501880400001807000001040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000AC3757CD5296D5018804000018070000E9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000AC3757CD5296D50188040000280C0000E9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000AC3757CD5296D50188040000A8050000E9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000069A59CD5296D50188040000280C0000E9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000069A59CD5296D50188040000280C000001000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
400000000000000060FC5BCD5296D5018804000018070000E9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000060FC5BCD5296D501880400001807000001000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000BA5E5ECD5296D50188040000A8050000E9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000BA5E5ECD5296D50188040000A805000001000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
40000000000000003E3676CD5296D50188040000280C0000F9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
40000000000000003E3676CD5296D5018804000018070000F9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
40000000000000003E3676CD5296D50188040000A8050000F9030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000003E3676CD5296D5018804000018070000F9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000989878CD5296D50188040000A8050000F9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000989878CD5296D50188040000280C0000F9030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000004C5D7DCD5296D501880400005409000002040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000038BE9ECD5296D501880400005409000002040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
400000000000000038BE9ECD5296D5018804000054090000EA030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
40000000000000009220A1CD5296D501880400002C0B0000EA030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
40000000000000009220A1CD5296D50188040000480B0000EA030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
40000000000000009220A1CD5296D50188040000500E0000EA030000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
40000000000000006233B4CD5296D50188040000500E0000EA030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000006233B4CD5296D50188040000500E000002000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000BC95B6CD5296D501880400002C0B0000EA030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000BC95B6CD5296D501880400002C0B000002000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000BC95B6CD5296D50188040000480B0000EA030000000000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000BC95B6CD5296D50188040000480B000002000000010000000100000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000A27E00CE5296D5018804000054090000EA030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000A27E00CE5296D5018804000054090000EB030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000A27E00CE5296D5018804000054090000EC030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000564305CE5296D501880400002C0B0000EB030000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000564305CE5296D501880400002C0B0000EB030000000000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000564305CE5296D501880400002C0B000003000000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000564305CE5296D50188040000EC070000FC030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000564305CE5296D5018804000054090000EC030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000564305CE5296D5018804000054090000ED030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
40000000000000000A080ACE5296D5018804000054090000ED030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
40000000000000000A080ACE5296D5018804000054090000EE030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000646A0CCE5296D50188040000500E0000EB030000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000646A0CCE5296D50188040000500E0000EB030000000000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000646A0CCE5296D50188040000500E000003000000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000646A0CCE5296D501880400009C080000FC030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000182F11CE5296D5018804000054090000EE030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000182F11CE5296D5018804000054090000F0030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000182F11CE5296D5018804000054090000F0030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000182F11CE5296D5018804000054090000EF030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000729113CE5296D50188040000400B0000EB030000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000080B81ACE5296D50188040000400B0000EB030000000000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000080B81ACE5296D50188040000400B000003000000010000000200000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000080B81ACE5296D50188040000B0090000FC030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
400000000000000080B81ACE5296D5018804000054090000EF030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
400000000000000080B81ACE5296D5018804000054090000EB030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
400000000000000080B81ACE5296D501880400005409000003040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
400000000000000080B81ACE5296D501880400005409000003040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
400000000000000080B81ACE5296D5018804000054090000FD030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
400000000000000080B81ACE5296D501880400004C0B0000FD030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000009C0629CE5296D501880400004C0B0000FD030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000009C0629CE5296D5018804000054090000FD030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000009C0629CE5296D501880400004C0B0000FE030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000005EF234CE5296D501880400004C0B0000FE030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000005EF234CE5296D501880400004C0B0000FF030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000005EF234CE5296D501880400004C0B0000FF030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000009C0629CE5296D5018804000054090000FE030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000005EF234CE5296D5018804000054090000FE030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000005EF234CE5296D5018804000054090000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000005EF234CE5296D5018804000054090000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000005EF234CE5296D50188040000C406000004040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000005EF234CE5296D50188040000C406000004040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000005EF234CE5296D501880400005409000005040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
40000000000000005EF234CE5296D501880400005409000005040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
40000000000000005EF234CE5296D5018804000054090000F4030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
40000000000000005EF234CE5296D5018804000054090000F4030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
40000000000000005EF234CE5296D5018804000054090000F2030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000C67B3ECE5296D50188040000700E0000F2030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000C67B3ECE5296D50188040000480B0000F2030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000C67B3ECE5296D50188040000B0090000FC030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000C67B3ECE5296D50188040000480B0000F2030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000C67B3ECE5296D50188040000480B000004000000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000C67B3ECE5296D50188040000EC070000FC030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000C67B3ECE5296D50188040000600E0000F2030000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000C67B3ECE5296D50188040000700E0000F2030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000C67B3ECE5296D501880400009C080000FC030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000C67B3ECE5296D50188040000700E000004000000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000C67B3ECE5296D50188040000600E0000F2030000000000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000C67B3ECE5296D50188040000600E000004000000010000000300000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000C67B3ECE5296D5018804000054090000F2030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000C67B3ECE5296D501880400005409000006040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
400000000000000090167ACE5296D501880400005409000006040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
400000000000000090167ACE5296D5018804000054090000F5030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000AC6488CE5296D50188040000400B0000F5030000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000AC6488CE5296D50188040000600E0000F5030000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000AC6488CE5296D50188040000480B0000F5030000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
400000000000000060298DCE5296D50188040000600E0000F5030000000000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000060298DCE5296D50188040000600E000005000000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
400000000000000060298DCE5296D50188040000480B0000F5030000000000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000060298DCE5296D50188040000480B000005000000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
400000000000000034AA50CF5296D50188040000400B0000F5030000000000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000008E0C53CF5296D50188040000400B000005000000010000000400000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000E86E55CF5296D5018804000054090000F5030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000E86E55CF5296D501880400005409000007040000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000C6A86FCF5296D501880400005409000007040000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
400000000000000096BB82CF5296D5018804000054090000FB030000010000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
4000000000000000F01D85CF5296D50188040000400B0000FB030000010000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
4000000000000000F01D85CF5296D50188040000500E0000FB030000010000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
4000000000000000F01D85CF5296D50188040000400B0000FB030000000000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
4000000000000000F01D85CF5296D50188040000480B0000FB030000010000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
4000000000000000F01D85CF5296D50188040000500E0000FB030000000000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
4000000000000000F01D85CF5296D50188040000480B0000FB030000000000000500000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
1160
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000F01D85CF5296D5018804000054090000FB030000000000000000000000000000300930659857844DA5AB4A872D1F1ABC0000000000000000
460
MSIFC2F.tmp
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
460
MSIFC2F.tmp
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3924
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
ELE
wscript "C:\Users\admin\eph\Hyp.vbs"
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
EnableFileTracing
0
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
EnableConsoleTracing
0
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
FileTracingMask
4294901760
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
ConsoleTracingMask
4294901760
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
MaxFileSize
1048576
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASAPI32
FileDirectory
%windir%\tracing
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
EnableFileTracing
0
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
EnableConsoleTracing
0
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
FileTracingMask
4294901760
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
ConsoleTracingMask
4294901760
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
MaxFileSize
1048576
3080
Hyp.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\hyp_RASMANCS
FileDirectory
%windir%\tracing
3080
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3080
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3080
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3080
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3080
Hyp.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
4600000002000000090000000000000000000000000000000400000000000000104FCED55296D501000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B0000000DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA02000000C0A8644800000000000000000DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA0DF0ADBA
616
Kkzec93.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
616
Kkzec93.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2552
Uha.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce
dis
wscript "C:\Users\admin\REA\Uha.vbs"
2468
Uha.exe
write
HKEY_USERS\.DEFAULT\Software\wintaskhost-LKIJYF
exepath
53B453C8E8E4E96DE87A1290E89B48C78B4318F9574E08126DBAB9B1E78CB9F32E8C1E7E3DAE60DDBCC5373BF169912647668CAD35EE
2468
Uha.exe
write
HKEY_USERS\.DEFAULT\Software\wintaskhost-LKIJYF
licence
98716DD66F691F6FB65C51B7285094FC

Files activity

Executable files
9
Suspicious files
14
Text files
18
Unknown types
6

Dropped files

PID
Process
Filename
Type
616
Kkzec93.exe
C:\Users\admin\REA\Uha.exe
executable
MD5: f93ba4ebc8ed8a7eb197c14d5db4d972
SHA256: aec03b6b50aa474792d53392d6d44e627f68874d188e8750a06cd7b2d5e5d112
3080
Hyp.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\RTX[1].exe���������������
executable
MD5: f93ba4ebc8ed8a7eb197c14d5db4d972
SHA256: aec03b6b50aa474792d53392d6d44e627f68874d188e8750a06cd7b2d5e5d112
3080
Hyp.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.exe
executable
MD5: 7928b9f425f01ff9148f57b12ad4ac14
SHA256: 450a95487977b6f66f4fe47c44e09aa83d86ac80dc6ea39e69e9211cd3592331
460
MSIFC2F.tmp
C:\Users\admin\eph\Hyp.exe
executable
MD5: 7928b9f425f01ff9148f57b12ad4ac14
SHA256: 450a95487977b6f66f4fe47c44e09aa83d86ac80dc6ea39e69e9211cd3592331
2788
msiexec.exe
C:\Windows\Installer\MSIFC2F.tmp
executable
MD5: 7928b9f425f01ff9148f57b12ad4ac14
SHA256: 450a95487977b6f66f4fe47c44e09aa83d86ac80dc6ea39e69e9211cd3592331
2788
msiexec.exe
C:\Windows\Installer\39f538.msi
executable
MD5: ae5052ad78ac7b8910f9ce603a885693
SHA256: 657fc1ca4004e7ab2a01c9e6a1668aebb3aa43386164121b3272393e628007a0
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\DLK[1].msi
executable
MD5: ae5052ad78ac7b8910f9ce603a885693
SHA256: 657fc1ca4004e7ab2a01c9e6a1668aebb3aa43386164121b3272393e628007a0
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I7JXM3DQ\DLK[1].msi
executable
MD5: ae5052ad78ac7b8910f9ce603a885693
SHA256: 657fc1ca4004e7ab2a01c9e6a1668aebb3aa43386164121b3272393e628007a0
3080
Hyp.exe
C:\Users\admin\AppData\Roaming\Kkzec93.exe
executable
MD5: f93ba4ebc8ed8a7eb197c14d5db4d972
SHA256: aec03b6b50aa474792d53392d6d44e627f68874d188e8750a06cd7b2d5e5d112
2280
MSIFC2F.tmp
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2468
Uha.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2552
Uha.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
616
Kkzec93.exe
C:\Users\admin\AppData\Local\Temp\~DF01D74D5CB477A849.TMP
binary
MD5: 50d025d94e2aaaaa6a1a95af46c6c82b
SHA256: ffe28f2b79eb5dfbcec816ab955b1fdecdf7f9b33c5bdc01f0e4480a26dff1a4
3080
Hyp.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
binary
MD5: c4ca4238a0b923820dcc509a6f75849b
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
3080
Hyp.exe
C:\Users\admin\AppData\Roaming\F63AAA\A71D80.hdb
binary
MD5: 1ea474de44a529769697b975640bd8b2
SHA256: d691fa348f0e9aa35826d39327695fb8a939734094abc969a8a5ba2c0f76fccb
3080
Hyp.exe
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 64bc6b0e1d907ae8acf27bdb155344c2
SHA256: dd4e0b0b64da5d95420c0e5423726f109e820e18b8a0b602274a7404f16f3ab2
3924
Hyp.exe
C:\Users\admin\AppData\Local\Temp\~DF260DAF4225A769FD.TMP
binary
MD5: d54ee59765519d0cf263f94d0cb32171
SHA256: e3d6e93a2478117a649090b0cbc30d7be46571942ac56989d6e1e1774233711a
3080
Hyp.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
3924
Hyp.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2788
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF7A89C34979C7BB41.TMP
––
MD5:  ––
SHA256:  ––
2788
msiexec.exe
C:\Windows\Installer\39f53a.ipi
––
MD5:  ––
SHA256:  ––
460
MSIFC2F.tmp
C:\Users\admin\AppData\Local\Temp\~DF7D87B70029220A1E.TMP
binary
MD5: d54ee59765519d0cf263f94d0cb32171
SHA256: e3d6e93a2478117a649090b0cbc30d7be46571942ac56989d6e1e1774233711a
2788
msiexec.exe
C:\Config.Msi\39f53b.rbs
––
MD5:  ––
SHA256:  ––
2280
MSIFC2F.tmp
C:\Users\admin\AppData\Local\Temp\~DF9BB7723970A790C1.TMP
binary
MD5: d54ee59765519d0cf263f94d0cb32171
SHA256: e3d6e93a2478117a649090b0cbc30d7be46571942ac56989d6e1e1774233711a
3832
Kkzec93.exe
C:\Users\admin\AppData\Local\Temp\~DF50AC882BDAE3001F.TMP
binary
MD5: 50d025d94e2aaaaa6a1a95af46c6c82b
SHA256: ffe28f2b79eb5dfbcec816ab955b1fdecdf7f9b33c5bdc01f0e4480a26dff1a4
460
MSIFC2F.tmp
C:\Users\admin\eph\Hyp.vbs
text
MD5: a44d2cd315bd9fa23a4ed2a59bd2e122
SHA256: e0a53a0a109caa9fecc391853fec0c32c0acaf6eac71facd224c4378abb6a23c
460
MSIFC2F.tmp
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
1160
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 350594a6499520d360c7d67c93cce086
SHA256: 5d7a5f6c73075c6de7e9bfb6ecc002284e9070e0504bc437a2c81472b879a9b7
2468
Uha.exe
C:\Users\admin\AppData\Roaming\wintaskhost\logs.dat
binary
MD5: fd94a435badbebfe058d06282d73ba71
SHA256: 3270b564eb9350aa06cb8f952a89c07fe52ed27f91548d8947ed878aac1bdda9
2788
msiexec.exe
C:\Windows\Installer\MSIFB04.tmp
binary
MD5: 4edd59c0d267b8c6cca503b1e78f0e65
SHA256: 42f8e0762090cc05a18bbaef29cc9aa38ccd04ac867d30d87c141d69e0d1f3b3
2788
msiexec.exe
C:\Windows\Installer\39f53a.ipi
binary
MD5: da12a34ce57197ae3d92ab1caae01e84
SHA256: 77cdcbb5a5fd73a1613868e169206f3bf3df9b51e55ef6b13a01be4001ba3526
2788
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFC48E9324BDF9B4D8.TMP
––
MD5:  ––
SHA256:  ––
616
Kkzec93.exe
C:\Users\admin\REA\Uha.vbs
text
MD5: ef9d304cd37d3329d331f35e748677e8
SHA256: ab9e6e533f01a74ae73017b04cfecd2d008abf391288b9f855c01ed87dd14df6
2788
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2788
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: abce50602eecfbd0c752988f17ea4c10
SHA256: d6fa619baa9611ec6cb5c2724e23e8064eeef819a0d26fc8d85fe8307c620950
2788
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{65300930-5798-4d84-a5ab-4a872d1f1abc}_OnDiskSnapshotProp
binary
MD5: abce50602eecfbd0c752988f17ea4c10
SHA256: d6fa619baa9611ec6cb5c2724e23e8064eeef819a0d26fc8d85fe8307c620950
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{FFE04711-0245-11EA-AB41-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
1296
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF1FAD2BA99275A5FE.TMP
––
MD5:  ––
SHA256:  ––
3744
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: e03b66d919ff0a07d80bd1cd305a5850
SHA256: d2253f1cc8b04d3acfc96364d3fc845a271b57139a730f1df40e3a298990c010
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019110820191109\index.dat
dat
MD5: 4d727d46ff52f61ebb97d80039d05e3b
SHA256: 7d4e121e34d1cfc0b4e16681febc4e218a666ca2e6187786891377b6dde38e88
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019110820191109\index.dat
dat
MD5: be504c9a82979852babfa035bd30e4f1
SHA256: 058cf89483e9bcc046cd6f5adff271b2829a2548b08a12e0e588de2f6865b3a4
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I7JXM3DQ\DLK[1].msi:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: 554b2b9f5e83eaeaf8eb53e2290113f0
SHA256: 08a46e53f791eea102b2e38f9bfb2d3552977791d28a3858723617a0569d91c4
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\DLK[1].msi:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
616
Kkzec93.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
3832
Kkzec93.exe
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FFE04712-0245-11EA-AB41-5254004A04AF}.dat
binary
MD5: 15fb16fbb1d3fc6a8761fc9799826ab6
SHA256: 28a04c296d7e209ff0bb911e62d4b5b4a8c754e89eac8b6a9de66673b75893cd
1296
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF8124A34CB63CFED1.TMP
––
MD5:  ––
SHA256:  ––
1296
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
1296
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I9AWE57A\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I7JXM3DQ\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ORYJBI6F\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3744
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JPOOIRIZ\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
2552
Uha.exe
C:\Users\admin\AppData\Local\Temp\~DFC71B9F9857897455.TMP
binary
MD5: 50d025d94e2aaaaa6a1a95af46c6c82b
SHA256: ffe28f2b79eb5dfbcec816ab955b1fdecdf7f9b33c5bdc01f0e4480a26dff1a4

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
14
DNS requests
9
Threats
46

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3744 iexplore.exe GET 200 162.212.13.240:80 http://securehub.top/files/DLK.msi GD
executable
malicious
1296 iexplore.exe GET 200 204.79.197.200:80 http://www.bing.com/favicon.ico US
image
whitelisted
3080 Hyp.exe POST 404 186.195.126.144:80 http://securehub.top/basex/Panel/fre.php BR
binary
text
malicious
3080 Hyp.exe POST 404 186.195.126.144:80 http://securehub.top/basex/Panel/fre.php BR
binary
text
malicious
3080 Hyp.exe POST 404 186.195.126.144:80 http://securehub.top/basex/Panel/fre.php BR
binary
binary
malicious
3080 Hyp.exe GET 200 45.171.122.28:80 http://mpsoren.cc/RTX.exe??????????????? unknown
executable
malicious
3080 Hyp.exe POST 404 186.195.126.144:80 http://securehub.top/basex/Panel/fre.php BR
binary
binary
malicious
3080 Hyp.exe POST 404 45.171.122.28:80 http://securehub.top/basex/Panel/fre.php unknown
binary
binary
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3744 iexplore.exe 162.212.13.240:80 Digicel Jamaica GD suspicious
1296 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
3080 Hyp.exe 186.195.126.144:80 Provnet Ltda. BR malicious
3080 Hyp.exe 45.171.122.28:80 –– malicious
2468 Uha.exe 142.44.161.51:6464 OVH SAS CA malicious
2468 Uha.exe 142.44.161.51:7076 OVH SAS CA malicious

DNS requests

Domain IP Reputation
securehub.top 162.212.13.240
189.3.140.163
93.78.122.243
175.42.159.110
45.171.122.28
152.204.0.133
186.195.126.144
malicious
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
mpsoren.cc 45.171.122.28
162.212.13.240
175.42.159.110
93.78.122.243
189.3.140.163
152.204.0.133
186.195.126.144
malicious
plunder.nsupdate.info 142.44.161.51
malicious
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
–– –– Potentially Bad Traffic ET DNS Query to a *.top domain - Likely Hostile
3744 iexplore.exe Potentially Bad Traffic ET INFO HTTP Request to a *.top domain
3744 iexplore.exe Potential Corporate Privacy Violation POLICY [PTsecurity] Executable application_x-msi Download
3744 iexplore.exe Misc activity SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
–– –– Potentially Bad Traffic ET DNS Query for .cc TLD
3080 Hyp.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080 Hyp.exe Potentially Bad Traffic ET INFO HTTP Request to a *.top domain
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Fake 404 Response
–– –– Potentially Bad Traffic ET DNS Query to a *.top domain - Likely Hostile
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot User-Agent (Charon/Inferno)
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Checkin
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki/Pony Bot Artifact Check-in
3080 Hyp.exe Potentially Bad Traffic ET INFO HTTP Request to a *.top domain
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M1
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Request for C2 Commands Detected M2
3080 Hyp.exe A Network Trojan was detected MALWARE [PTsecurity] Loki Bot Check-in M2
3080 Hyp.exe A Network Trojan was detected ET TROJAN LokiBot Fake 404 Response

5 ETPRO signatures available at the full report

Debug output strings

No debug info.