General Info

File name

fuck_spheres.exe

Full analysis
https://app.any.run/tasks/e5ab6600-6459-487a-9b56-a582f5fd045b
Verdict
Malicious activity
Analysis date
10/9/2019, 20:18:02
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5

eb08cf518184deb024cadc8097b80026

SHA1

e28524c60a4d17cee7a95759f01e768f414db8ee

SHA256

978fcaef114b868a1fd879e1b0135abf7cb5cf6ac203bca205f798256e536ec6

SSDEEP

98304:wSmAvJGSqp7Ju1G64ESktXr/ZLeL7X70hz+iCD9mPpMG+B4N4kK4dRnF5rQZFJwe:wVAxGllUBFXr/kn7gz+txmbukF5rOFOe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • winsdksetup.exe (PID: 2972)
  • winsdksetup.exe (PID: 552)
  • crypto.exe (PID: 2520)
  • crypto.exe (PID: 2844)
  • hdd.exe (PID: 1696)
  • winsdksetup.exe (PID: 3052)
Loads dropped or rewritten executable
  • winsdksetup.exe (PID: 552)
  • crypto.exe (PID: 2520)
Changes settings of System certificates
  • winsdksetup.exe (PID: 552)
Actions looks like stealing of personal data
  • crypto.exe (PID: 2520)
Changes the autorun value in the registry
  • winsdksetup.exe (PID: 3052)
Executable content was dropped or overwritten
  • winsdksetup.exe (PID: 2972)
  • fuck_spheres.exe (PID: 3364)
  • winsdksetup.exe (PID: 552)
  • crypto.exe (PID: 2844)
  • winsdksetup.exe (PID: 3052)
Creates files in the Windows directory
  • winsdksetup.exe (PID: 2972)
  • winsdksetup.exe (PID: 552)
Creates files in the program directory
  • winsdksetup.exe (PID: 552)
  • winsdksetup.exe (PID: 3052)
Starts itself from another location
  • winsdksetup.exe (PID: 552)
Reads Internet Cache Settings
  • winsdksetup.exe (PID: 552)
Application launched itself
  • crypto.exe (PID: 2844)
Adds / modifies Windows certificates
  • winsdksetup.exe (PID: 552)
Removes files from Windows directory
  • winsdksetup.exe (PID: 552)
Loads Python modules
  • crypto.exe (PID: 2520)
Searches for installed software
  • winsdksetup.exe (PID: 3052)
Creates a software uninstall entry
  • winsdksetup.exe (PID: 3052)
Executed as Windows Service
  • vssvc.exe (PID: 2124)
Executed via COM
  • DrvInst.exe (PID: 2128)
Dropped object may contain Bitcoin addresses
  • winsdksetup.exe (PID: 552)
Reads settings of System Certificates
  • winsdksetup.exe (PID: 552)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 2124)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Generic CIL Executable (.NET, Mono, etc.) (63.1%)
.exe
|   Win64 Executable (generic) (23.8%)
.dll
|   Win32 Dynamic Link Library (generic) (5.6%)
.exe
|   Win32 Executable (generic) (3.8%)
.exe
|   Generic Win/DOS Executable (1.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:10:09 15:50:58+02:00
PEType:
PE32
LinkerVersion:
11
CodeSize:
5633536
InitializedDataSize:
2560
UninitializedDataSize:
null
EntryPoint:
0x56154e
OSVersion:
4
ImageVersion:
null
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
10.1.18362.1
ProductVersionNumber:
10.1.18362.1
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
FileDescription:
Windows Software Development Kit - Windows 10.0.18362.1
FileVersion:
10.1.18362.1
InternalName:
winsdksetupEVIL.exe
LegalCopyright:
Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFileName:
winsdksetupEVIL.exe
ProductName:
Windows Software Development Kit - Windows 10.0.18362.1
ProductVersion:
10.1.18362.1
AssemblyVersion:
10.1.18362.1
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
09-Oct-2019 13:50:58
FileDescription:
Windows Software Development Kit - Windows 10.0.18362.1
FileVersion:
10.1.18362.1
InternalName:
winsdksetupEVIL.exe
LegalCopyright:
Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFilename:
winsdksetupEVIL.exe
ProductName:
Windows Software Development Kit - Windows 10.0.18362.1
ProductVersion:
10.1.18362.1
Assembly Version:
10.1.18362.1
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000080
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
3
Time date stamp:
09-Oct-2019 13:50:58
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00002000 0x0055F554 0x0055F600 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 7.99901
.rsrc 0x00562000 0x00000790 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.33019
.reloc 0x00564000 0x0000000C 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 0.10191
Resources
1

Imports
    mscoree.dll

Exports

    No exports.

Screenshots

Processes

Total processes
45
Monitored processes
10
Malicious processes
6
Suspicious processes
0

Behavior graph

+
drop and start drop and start drop and start start drop and start drop and start fuck_spheres.exe no specs fuck_spheres.exe winsdksetup.exe winsdksetup.exe crypto.exe hdd.exe no specs crypto.exe winsdksetup.exe vssvc.exe no specs drvinst.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3200
CMD
"C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe"
Path
C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Windows Software Development Kit - Windows 10.0.18362.1
Version
10.1.18362.1
Modules
Image
c:\users\admin\appdata\local\temp\fuck_spheres.exe

PID
3364
CMD
"C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe"
Path
C:\Users\admin\AppData\Local\Temp\fuck_spheres.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Windows Software Development Kit - Windows 10.0.18362.1
Version
10.1.18362.1
Modules
Image
c:\users\admin\appdata\local\temp\fuck_spheres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\winsdksetup.exe
c:\windows\system32\twext.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\userenv.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\netutils.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\linkinfo.dll
c:\program files\notepad++\nppshell_06.dll
c:\windows\system32\acppage.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\msi.dll
c:\windows\system32\wer.dll
c:\windows\system32\devrtl.dll
c:\users\admin\documents\crypto.exe
c:\windows\system32\bcrypt.dll
c:\users\admin\appdata\local\temp\hdd.exe

PID
2972
CMD
"C:\Users\admin\AppData\Local\Temp\winsdksetup.exe"
Path
C:\Users\admin\AppData\Local\Temp\winsdksetup.exe
Indicators
Parent process
fuck_spheres.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Software Development Kit - Windows 10.0.18362.1
Version
10.1.18362.1
Modules
Image
c:\users\admin\appdata\local\temp\winsdksetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\temp\{ef33738e-eb02-4bf4-93ad-a68cda5bb433}\.cr\winsdksetup.exe

PID
552
CMD
"C:\Windows\Temp\{EF33738E-EB02-4BF4-93AD-A68CDA5BB433}\.cr\winsdksetup.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\winsdksetup.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156
Path
C:\Windows\Temp\{EF33738E-EB02-4BF4-93AD-A68CDA5BB433}\.cr\winsdksetup.exe
Indicators
Parent process
winsdksetup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Software Development Kit - Windows 10.0.18362.1
Version
10.1.18362.1
Modules
Image
c:\windows\temp\{ef33738e-eb02-4bf4-93ad-a68cda5bb433}\.cr\winsdksetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\feclient.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.ba\mbahost.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.ba\bootstrappercore.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\bcrypt.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.ba\microsoft.bootstrapper.dll
c:\windows\system32\psapi.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.ba\microsoft.diagnostics.tracing.eventsource.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.ba\microsoft.bootstrapper.presentation.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio49d6fefe#\f52bfe40c54917622ed3abb98db8f90a\presentationframework-systemxml.ni.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\1e1a1bd97e618bc4934ee967bea27ae8\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrcompression.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationui\efec1926513ece87ff644670cdd80031\presentationui.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\f68563fb25af65c25de37130ebcd576c\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio4b37ff64#\b204998e0b878089f7fd625612a35dfa\presentationframework-systemxmllinq.ni.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.be\winsdksetup.exe
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2844
CMD
"C:\Users\admin\Documents\crypto.exe"
Path
C:\Users\admin\Documents\crypto.exe
Indicators
Parent process
fuck_spheres.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\documents\crypto.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll

PID
1696
CMD
"C:\Users\admin\AppData\Local\Temp\hdd.exe"
Path
C:\Users\admin\AppData\Local\Temp\hdd.exe
Indicators
No indicators
Parent process
fuck_spheres.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Apache Software Foundation
Description
ApacheBench command line utility
Version
2.2.14
Modules
Image
c:\users\admin\appdata\local\temp\hdd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\fmifs.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\untfs.dll
c:\windows\system32\fveapi.dll
c:\windows\system32\tbs.dll
c:\windows\system32\fvecerts.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll

PID
2520
CMD
"C:\Users\admin\Documents\crypto.exe"
Path
C:\Users\admin\Documents\crypto.exe
Indicators
Parent process
crypto.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\documents\crypto.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei28442\python27.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\users\admin\appdata\local\temp\_mei28442\msvcr90.dll
c:\users\admin\appdata\local\temp\_mei28~1\_ctypes.pyd
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\_mei28~1\_multiprocessing.pyd
c:\users\admin\appdata\local\temp\_mei28~1\_hashlib.pyd
c:\users\admin\appdata\local\temp\_mei28~1\crypto.cipher._aes.pyd
c:\users\admin\appdata\local\temp\_mei28~1\crypto.random.osrng.winrandom.pyd
c:\users\admin\appdata\local\temp\_mei28~1\crypto.util._counter.pyd

PID
3052
CMD
"C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.be\winsdksetup.exe" -q -burn.elevated BurnPipe.{5235E579-47C3-4ED5-B253-A8084F156FC4} {C867AF44-D30A-448E-BB91-59371DC06513} 552
Path
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.be\winsdksetup.exe
Indicators
Parent process
winsdksetup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Windows Software Development Kit - Windows 10.0.18362.1
Version
10.1.18362.1
Modules
Image
c:\windows\temp\{8138bf5e-4579-4e6d-b9a6-6296a927979d}\.be\winsdksetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
2124
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2128
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000534" "00000394"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

Registry activity

Total events
1069
Read events
747
Write events
322
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3364
fuck_spheres.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3364
fuck_spheres.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3364
fuck_spheres.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
552
winsdksetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
winsdksetup.exe
552
winsdksetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
552
winsdksetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
EnableFileTracing
0
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
EnableConsoleTracing
0
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
FileTracingMask
4294901760
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
ConsoleTracingMask
4294901760
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
MaxFileSize
1048576
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASAPI32
FileDirectory
%windir%\tracing
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
EnableFileTracing
0
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
EnableConsoleTracing
0
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
FileTracingMask
4294901760
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
ConsoleTracingMask
4294901760
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
MaxFileSize
1048576
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\winsdksetup_RASMANCS
FileDirectory
%windir%\tracing
552
winsdksetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
552
winsdksetup.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
552
winsdksetup.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
552
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Blob
040000000100000010000000ACB694A59C17E0D791529BB19706A6E40B0000000100000030000000440069006700690043006500720074002000420061006C00740069006D006F0072006500200052006F006F007400000053000000010000006200000030603020060A2B06010401B13E01640130123010060A2B0601040182373C0101030200C0301F06096086480186FD6C020130123010060A2B0601040182373C0101030200C0301B060567810C010130123010060A2B0601040182373C0101030200C00F0000000100000014000000CE0E658AA3E847E467A147B3049191093D055E6F140000000100000014000000E59D5930824758CCACFA085436867B3AB5044DF01D0000000100000010000000918AD43A9475F78BB5243DE886D8103C030000000100000014000000D4DE20D05E66FC53FE1A50882C78DB2852CAE47419000000010000001000000068CB42B035EA773E52EF50ECF50EC52909000000010000003E000000303C06082B0601050507030106082B0601050507030406082B0601050507030206082B0601050507030306082B0601050507030906082B0601050507030862000000010000002000000016AF57A9F676B0AB126095AA5EBADEF22AB31119D644AC95CD4B93DBF3F26AEB20000000010000007B030000308203773082025FA0030201020204020000B9300D06092A864886F70D0101050500305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F74301E170D3030303531323138343630305A170D3235303531323233353930305A305A310B300906035504061302494531123010060355040A130942616C74696D6F726531133011060355040B130A43796265725472757374312230200603550403131942616C74696D6F7265204379626572547275737420526F6F7430820122300D06092A864886F70D01010105000382010F003082010A0282010100A304BB22AB983D57E826729AB579D429E2E1E89580B1B0E35B8E2B299A64DFA15DEDB009056DDB282ECE62A262FEB488DA12EB38EB219DC0412B01527B8877D31C8FC7BAB988B56A09E773E81140A7D1CCCA628D2DE58F0BA650D2A850C328EAF5AB25878A9A961CA967B83F0CD5F7F952132FC21BD57070F08FC012CA06CB9AE1D9CA337A77D6F8ECB9F16844424813D2C0C2A4AE5E60FEB6A605FCB4DD075902D459189863F5A563E0900C7D5DB2067AF385EAEBD403AE5E843E5FFF15ED69BCF939367275CF77524DF3C9902CB93DE5C923533F1F2498215C079929BDC63AECE76E863A6B97746333BD681831F0788D76BFFC9E8E5D2A86A74D90DC271A390203010001A3453043301D0603551D0E04160414E59D5930824758CCACFA085436867B3AB5044DF030120603551D130101FF040830060101FF020103300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100850C5D8EE46F51684205A0DDBB4F27258403BDF764FD2DD730E3A41017EBDA2929B6793F76F6191323B8100AF958A4D46170BD04616A128A17D50ABDC5BC307CD6E90C258D86404FECCCA37E38C637114FEDDD68318E4CD2B30174EEBE755E07481A7F70FF165C84C07985B805FD7FBE6511A30FC002B4F852373904D5A9317A18BFA02AF41299F7A34582E33C5EF59D9EB5C89E7C2EC8A49E4E08144B6DFD706D6B1A63BD64E61FB7CEF0F29F2EBB1BB7F250887392C2E2E3168D9A3202AB8E18DDE91011EE7E35AB90AF3E30947AD0333DA7650FF5FC8E9E62CF47442C015DBB1DB532D247D2382ED0FE81DC326A1EB5EE3CD5FCE7811D19C32442EA6339A9
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
400000000000000090C20EF8CD7ED501EC0B0000640A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000090C20EF8CD7ED501EC0B0000640A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000389764F8CD7ED501EC0B0000640A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
400000000000000092F966F8CD7ED501EC0B0000F8030000E803000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000005A8A7BF9CD7ED501EC0B0000F8030000E803000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000B631FD00CE7ED501EC0B0000640A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000B631FD00CE7ED501EC0B0000640A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
4000000000000000E0A61201CE7ED501EC0B0000640A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000B0B92501CE7ED501EC0B000084080000E903000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000AA414E01CE7ED501EC0B000084080000E903000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000AA414E01CE7ED501EC0B0000280A0000F903000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
400000000000000020F25E01CE7ED501EC0B0000280A0000F903000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000002E196601CE7ED501EC0B0000640A00000A04000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000E20A9C02CE7ED501EC0B00008C0600000A04000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
400000000000000096CFA002CE7ED501EC0B0000640A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000096CFA002CE7ED501EC0B0000640A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0000000000000000
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleCachePath
C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleUpgradeCode
{D3E6BA1C-C49F-D41D-DCE1-D373C9E42630}
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleAddonCode
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleDetectCode
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundlePatchCode
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleVersion
10.1.18362.1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
VersionMajor
10
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
VersionMinor
1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleProviderKey
{126dedf0-cc0e-4b48-9ece-806b0e437195}
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleTag
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
EngineVersion
3.14.0.1703
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
DisplayIcon
C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe,0
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
DisplayName
Windows Software Development Kit - Windows 10.0.18362.1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
DisplayVersion
10.1.18362.1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
Publisher
Microsoft Corporation
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
ModifyPath
"C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe" /modify
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
NoElevateOnModify
1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
QuietUninstallString
"C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe" /uninstall /quiet
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
UninstallString
"C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe" /uninstall
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
EstimatedSize
3027499
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{126dedf0-cc0e-4b48-9ece-806b0e437195}
{126dedf0-cc0e-4b48-9ece-806b0e437195}
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{126dedf0-cc0e-4b48-9ece-806b0e437195}
Version
10.1.18362.1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{126dedf0-cc0e-4b48-9ece-806b0e437195}
DisplayName
Windows Software Development Kit - Windows 10.0.18362.1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
Resume
1
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{126dedf0-cc0e-4b48-9ece-806b0e437195}
"C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe" /burn.runonce
3052
winsdksetup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{126dedf0-cc0e-4b48-9ece-806b0e437195}
BundleResumeCommandLine
/burn.log.append "C:\Users\admin\AppData\Local\Temp\windowssdk\Windows_Software_Development_Kit___Windows_10.0.18362.1_20191009191822.log"
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000703381F8CD7ED5014C080000E80F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000703381F8CD7ED5014C0800002C0A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000703381F8CD7ED5014C080000D80B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000703381F8CD7ED5014C080000DC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
40000000000000008C818FF8CD7ED5014C080000D80B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000008C818FF8CD7ED5014C080000DC0F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000E6E391F8CD7ED5014C080000E80F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000F40A99F8CD7ED5014C0800002C0A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000B0B92501CE7ED5014C0800002C0A00000104000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000B0B92501CE7ED5014C0800002C0A00000104000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000266A3601CE7ED5014C0800002C0A0000E903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000266A3601CE7ED5014C080000E80F0000E903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000266A3601CE7ED5014C080000DC0F0000E903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
400000000000000080CC3801CE7ED5014C080000E80F0000E903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000080CC3801CE7ED5014C080000E80F00000100000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000DA2E3B01CE7ED5014C0800002C0A0000E903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000DA2E3B01CE7ED5014C0800002C0A00000100000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
400000000000000034913D01CE7ED5014C080000DC0F0000E903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000034913D01CE7ED5014C080000DC0F00000100000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
400000000000000020F25E01CE7ED5014C0800002C0A0000F903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
400000000000000020F25E01CE7ED5014C080000E80F0000F903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
400000000000000020F25E01CE7ED5014C080000D80B0000F903000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
400000000000000020F25E01CE7ED5014C0800002C0A0000F903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
400000000000000020F25E01CE7ED5014C080000E80F0000F903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
400000000000000020F25E01CE7ED5014C080000D80B0000F903000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000002E196601CE7ED5014C080000C00F00000204000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000ECC3F201CE7ED5014C080000C00F00000204000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
40000000000000004626F501CE7ED5014C080000C00F0000EA03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000AEAFFE01CE7ED5014C0800003C0D0000EA03000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000AEAFFE01CE7ED5014C080000680E0000EA03000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000AEAFFE01CE7ED5014C080000FC0D0000EA03000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000A8372702CE7ED5014C080000680E0000EA03000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000A8372702CE7ED5014C080000680E00000200000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000006A233302CE7ED5014C0800003C0D0000EA03000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000006A233302CE7ED5014C0800003C0D00000200000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
40000000000000006A233302CE7ED5014C080000FC0D0000EA03000000000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000006A233302CE7ED5014C080000FC0D00000200000001000000010000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
400000000000000064AB5B02CE7ED5014C080000C00F0000EA03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
400000000000000064AB5B02CE7ED5014C080000C00F0000EB03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
400000000000000064AB5B02CE7ED5014C080000C00F0000EC03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
400000000000000018706002CE7ED5014C080000C00D0000EB03000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
400000000000000018706002CE7ED5014C080000C00D0000EB03000000000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000018706002CE7ED5014C080000C00D00000300000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000018706002CE7ED5014C080000680A0000FC03000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
400000000000000018706002CE7ED5014C080000C00F0000EC03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
400000000000000018706002CE7ED5014C080000C00F0000ED03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
400000000000000026976702CE7ED5014C080000C00F0000ED03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
400000000000000026976702CE7ED5014C080000C00F0000EE03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
400000000000000034BE6E02CE7ED5014C080000C00D0000EB03000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
400000000000000034BE6E02CE7ED5014C080000C00D0000EB03000000000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000034BE6E02CE7ED5014C080000C00D00000300000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000034BE6E02CE7ED5014C0800003C0F0000FC03000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000009C477802CE7ED5014C080000C00F0000EE03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000009C477802CE7ED5014C080000C00F0000F003000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000009C477802CE7ED5014C080000C00F0000F003000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000009C477802CE7ED5014C080000C00F0000EF03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000AA6E7F02CE7ED5014C080000180E0000EB03000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
40000000000000005E338402CE7ED5014C080000180E0000EB03000000000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000005E338402CE7ED5014C080000180E00000300000001000000020000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
40000000000000005E338402CE7ED5014C080000C00F0000EF03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000005E338402CE7ED5014C0800000C0C0000FC03000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
40000000000000005E338402CE7ED5014C080000C00F0000EB03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
40000000000000005E338402CE7ED5014C080000C00F00000304000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
40000000000000005E338402CE7ED5014C080000C00F00000304000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
40000000000000005E338402CE7ED5014C080000C00F0000FD03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
40000000000000005E338402CE7ED5014C08000024070000FD03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
4000000000000000C6BC8D02CE7ED5014C08000024070000FD03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
4000000000000000C6BC8D02CE7ED5014C080000C00F0000FD03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000C6BC8D02CE7ED5014C08000024070000FE03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000088A89902CE7ED5014C08000024070000FE03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
400000000000000088A89902CE7ED5014C08000024070000FF03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
400000000000000088A89902CE7ED5014C08000024070000FF03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000C6BC8D02CE7ED5014C080000C00F0000FE03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000088A89902CE7ED5014C080000C00F0000FE03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
400000000000000088A89902CE7ED5014C080000C00F0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
400000000000000088A89902CE7ED5014C080000C00F0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
400000000000000088A89902CE7ED5014C080000000B00000404000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
400000000000000088A89902CE7ED5014C080000000B00000404000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
400000000000000088A89902CE7ED5014C080000C00F00000504000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000E20A9C02CE7ED5014C080000C00F00000504000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000E20A9C02CE7ED5014C080000C00F0000F403000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000E20A9C02CE7ED5014C080000C00F0000F403000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000E20A9C02CE7ED5014C080000C00F0000F203000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
40000000000000003C6D9E02CE7ED5014C080000FC0D0000F203000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000003C6D9E02CE7ED5014C0800003C0F0000FC03000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
40000000000000003C6D9E02CE7ED5014C0800002C0E0000F203000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
40000000000000003C6D9E02CE7ED5014C080000FC0D0000F203000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000003C6D9E02CE7ED5014C080000680A0000FC03000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
40000000000000003C6D9E02CE7ED5014C0800003C0D0000F203000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000003C6D9E02CE7ED5014C080000FC0D00000400000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
40000000000000003C6D9E02CE7ED5014C0800002C0E0000F203000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000003C6D9E02CE7ED5014C0800000C0C0000FC03000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000003C6D9E02CE7ED5014C0800002C0E00000400000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
40000000000000003C6D9E02CE7ED5014C0800003C0D0000F203000000000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000003C6D9E02CE7ED5014C0800003C0D00000400000001000000030000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
40000000000000003C6D9E02CE7ED5014C080000C00F0000F203000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
40000000000000003C6D9E02CE7ED5014C080000C00F00000604000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
40000000000000002256E802CE7ED5014C080000C00F00000604000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
40000000000000002256E802CE7ED5014C080000C00F0000F503000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000F268FB02CE7ED5014C080000180E0000F503000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000F268FB02CE7ED5014C0800002C0E0000F503000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000F268FB02CE7ED5014C080000680E0000F503000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000004CCBFD02CE7ED5014C080000180E0000F503000000000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000004CCBFD02CE7ED5014C080000680E0000F503000000000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000004CCBFD02CE7ED5014C080000180E00000500000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000004CCBFD02CE7ED5014C080000680E00000500000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
400000000000000096FCD103CE7ED5014C0800002C0E0000F503000000000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000096FCD103CE7ED5014C0800002C0E00000500000001000000040000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
400000000000000096FCD103CE7ED5014C080000C00F0000F503000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
400000000000000096FCD103CE7ED5014C080000C00F00000704000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000660FE503CE7ED5014C080000C00F00000704000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000005C568E04CE7ED5014C080000C00F0000FB03000001000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000006A7D9504CE7ED5014C080000680E0000FB03000001000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000006A7D9504CE7ED5014C0800003C0D0000FB03000001000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000006A7D9504CE7ED5014C080000680E0000FB03000000000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000006A7D9504CE7ED5014C0800003C0D0000FB03000000000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000006A7D9504CE7ED5014C080000FC0D0000FB03000001000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000006A7D9504CE7ED5014C080000FC0D0000FB03000000000000050000000000000018617D95720D06408590C66DF6893DD10000000000000000
2124
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000006A7D9504CE7ED5014C080000C00F0000FB03000000000000000000000000000018617D95720D06408590C66DF6893DD10000000000000000
2128
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
35
Suspicious files
7
Text files
41
Unknown types
1

Dropped files

PID
Process
Filename
Type
3364
fuck_spheres.exe
C:\Users\admin\AppData\Local\Temp\winsdksetup.exe
executable
MD5: 31bbf735442cc6bdbe416274256b0210
SHA256: 2e28117e82b4d02fe30d564b835ace9976612609271265872f20f2256a9c506b
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbapreq.dll
executable
MD5: 28bdbf7bf0b48de60d35240963ffcc24
SHA256: 5ae0618da41f899a15f5a999f1e4a2f231ceea3910baf0adf57676a2190298b5
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\bz2.pyd
executable
MD5: 80558ab30129a2874b8776f4dd96ad7c
SHA256: ca19af8b73e72df5581cff77085bb5885985c91ada16b5a94dd50c827dd51093
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\Microsoft.Diagnostics.Tracing.EventSource.dll
executable
MD5: ad9250c9725e55e11729256336accd56
SHA256: f9836c19b55583433141cbc1ae4542e65919abb0753e806b29740a732526b685
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\_socket.pyd
executable
MD5: 7b2aaef4135df0fd137df1f152de1708
SHA256: 00b31446ad5f7038f253b64a60753d07ff082923c108752d565717947f1a38ba
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\Microsoft.Bootstrapper.dll
executable
MD5: 2fe33c4eec81898d68c1b1abf186ccec
SHA256: fd48fc4d1e5ddb6f0b9c7e098e58a095b13726ce69ea1a98996b2a68bdc5f114
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\msvcm90.dll
executable
MD5: fe419df303a1f7b1dc63c9b9a90bb08c
SHA256: 07babe7bcc9ec1fc385bd6d29d5ffcaa66bbfaa1228768fef708919f850c501d
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\BootstrapperCore.dll
executable
MD5: 789476090439024462cf3694b8090b7d
SHA256: 9c900b865aaab23622c23e6f2eb22dfc881109351fe06f07cd7cc69c80cb55d2
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\msvcr90.dll
executable
MD5: 60847d262410edcc17decebcdbb2f320
SHA256: 7284575514727b330f2d36d5f7c99f5e7b9f882b2bcd494297c123ff34ed0a77
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\sqmapi.dll
executable
MD5: fc6889924c0fbddf99b7da588c97172d
SHA256: 968d74f496162dac8d6906e69a5ddfc13498be4a380afb814cb7eb19a0b167eb
3364
fuck_spheres.exe
C:\Users\admin\AppData\Local\Temp\hdd.exe
executable
MD5: d0511453b926c19ea41abd77540ad47e
SHA256: 63240ba3f70d0cd48612e5c5dfb1aa9f6ecb49b9be98f24a0070ef60c20c7af4
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.be\winsdksetup.exe
executable
MD5: 31bbf735442cc6bdbe416274256b0210
SHA256: 2e28117e82b4d02fe30d564b835ace9976612609271265872f20f2256a9c506b
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd
executable
MD5: ae0ef46bc3a52a92544b6facab0f32a1
SHA256: 61372337fe96d67f92bcb44e6faeefb7fe404a326f819ea33e27d33db98226f5
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\Microsoft.Bootstrapper.Presentation.dll
executable
MD5: 28a709345dc0bd3e55c0c7a0b4c68bee
SHA256: 10dd4f2220903ebd9d4842126fa457835eac0e0495f129b6cd36905f3dc6b779
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Random.OSRNG.winrandom.pyd
executable
MD5: b53518066505502ca8cadec170828a09
SHA256: ab4f9d75f8ae8fd80240ddbb6d04bf1ffa5f2a9cb678a2ff86520b116ff98c77
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd
executable
MD5: 4133485c1e728925502bcab21fb8a3c7
SHA256: f7d9825b06f3b2d758cbf1c664a49d8602721cf43c399030a3dcb9b35f18023a
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\_multiprocessing.pyd
executable
MD5: d675d1f065d2a22ec122375bf8069c1b
SHA256: 1b9e81143aada184ecda900b93cffe4a4bbd6820ca4f6d7f32eb46a000b66099
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbahost.dll
executable
MD5: 2ba10d77a0dd711803d905ea64444369
SHA256: 36547e04b852794c0db49ec3c64d7dee428e3ac933b965a85d52785481e01a07
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd
executable
MD5: 7896f2b2b44a6dc7f8021c142339ce07
SHA256: da6f2a24ee007f2ba49b120f6253e2030563093b6abd4514bf81f7f2326ac96a
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\python27.dll
executable
MD5: 39a952048d2fcf4d31ff8bd9af252249
SHA256: 71a902f0cbc1e51f930f5782e2dc6065d20f7ce536a9416bff67cccf83bfb93e
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\winsdksetup.exe
executable
MD5: 31bbf735442cc6bdbe416274256b0210
SHA256: 2e28117e82b4d02fe30d564b835ace9976612609271265872f20f2256a9c506b
2972
winsdksetup.exe
C:\Windows\Temp\{EF33738E-EB02-4BF4-93AD-A68CDA5BB433}\.cr\winsdksetup.exe
executable
MD5: 31bbf735442cc6bdbe416274256b0210
SHA256: 2e28117e82b4d02fe30d564b835ace9976612609271265872f20f2256a9c506b
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Util._counter.pyd
executable
MD5: c47963354f25ad3963a5bb05d5e9eb19
SHA256: 696e5240442db868041c9af4ce5b18485084dbb92e14dfee9a9c54c6e4a32be5
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\select.pyd
executable
MD5: 18ead4bf3a21899f4c94db60ba39da41
SHA256: fb739f595b0c51f0bede73709feb997bbcd15e7c5bedf4a1b1d97856be602c40
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Cipher._DES3.pyd
executable
MD5: c3b2ed26a2daf51266bd148bbd506d2f
SHA256: 8ef2a91d7aff03a29a289d75ff0b79ed615d5146be2267bc5dd49810a6576b99
3364
fuck_spheres.exe
C:\Users\admin\Documents\crypto.exe
executable
MD5: 00994d2447c8056673b5ffda86288ac4
SHA256: a5f4c11f256121e56576978e42693bdbd2c722619ee06a4565de0825e7a967b4
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Hash._SHA256.pyd
executable
MD5: 4e4afb969482c1fb47a4b14690f69dcb
SHA256: ee66379203580b3d8aebce8b5bb76e054e94fbacaf36cdd9563a964e3472a1a3
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\msvcp90.dll
executable
MD5: 989d61bcb56ce788d7c39d59b83838e7
SHA256: 0ba583318f5ecd2cad7f26e5673cf1e6353075a0174616744012b71e05aa25e6
3052
winsdksetup.exe
C:\ProgramData\Package Cache\.unverified\package_SDKDebuggers_x86_en_us
executable
MD5: dd4ce77127f7263df3249799053bbfe8
SHA256: 1519154016cce710c41b16121e288fa6dcedb5e1e07095ab7bdd81f9a9d0bb3e
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Util.strxor.pyd
executable
MD5: b9ce4ba1e8bbf6cbf291091a1faab129
SHA256: 8df6230baf4077f2009ed72ba39c0a68241cdfbf040f36f25b0373acdb409c50
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{1AA664F4-B63F-74FD-35B6-993DDA3DEF81}v10.1.18362.1\Installers\SDK Debuggers-x86_en-us.msi
executable
MD5: dd4ce77127f7263df3249799053bbfe8
SHA256: 1519154016cce710c41b16121e288fa6dcedb5e1e07095ab7bdd81f9a9d0bb3e
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\pyexpat.pyd
executable
MD5: e7d033f40f44d497d6ddc5cc020ca40b
SHA256: 3285c94ae4c801147f564e92f1dd8dc00d630e041f80b33dd37300ce597004a6
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Cipher._AES.pyd
executable
MD5: 587d83fb55a1efc29200ec4b832d4fce
SHA256: b8506860d4b68ed2dc99efad8562163744dd91ef35ccc1e48464e92b714f6b39
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Crypto.Cipher._DES.pyd
executable
MD5: 4a67b90173af66b3ada729118b2e8f94
SHA256: a31e426dda1f45672e898faeeb36fd877c395ab87d5d436ecd15d6fce3717da4
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\_ssl.pyd
executable
MD5: b64a8677ad7fda3ef730ffc4533fd1f8
SHA256: 4edd88905e478aac34adabc783a2f695644528f1d8e2426b1f4fa0bcfab03682
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay0476346607760183E155A637E561B320
––
MD5:  ––
SHA256:  ––
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{1AA664F4-B63F-74FD-35B6-993DDA3DEF81}v10.1.18362.1\Installers\e10f9740446a96314a1731aa7cb4286a.cab
compressed
MD5: 63da86ff9853948cc75479ad2aaf295e
SHA256: 09e89bec6fd5bda47b4ceac4839c164f945e686846d71b27e66886ce7be3168d
3052
winsdksetup.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{957d6118-0d72-4006-8590-c66df6893dd1}_OnDiskSnapshotProp
binary
MD5: dd4d6273c3f63067314b1c7837b7abfd
SHA256: f10b7b4fe2046780eabbf902f35b5319552b51759fffbf99b80192db9b06d2fc
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\crypto.exe.manifest
xml
MD5: f4090b3720e427b018dbb0aa0a983818
SHA256: 36b7434e7cda910df3d4956b823244b7707d3978883fc40acd75290ced57786f
3052
winsdksetup.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2128
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 93d8586c2ede27aab7adeccc2af9a3f0
SHA256: a54244d4a4de30b57d37917e761c0d9b37d314a7d10fbbb44ab0076534765473
2128
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
2128
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: e2f1d17cce2e16098bdb0df795912d4c
SHA256: bb26a7db8bc806f31b7ef6ebd2d6b0e0a064ea81f3ef72e4cd74c8e618f26bd5
2128
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: c336f58266724617d035350df2042f07
SHA256: e38fd1b83d51369c25b5bd18015322e07694a7cc533a1c9f531fbb0e6c31e445
2128
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: a7203e7b5f2dd87c2c90174bd7177399
SHA256: 688d5992ac9b2a3dbee4666e8ce80f83cdb70f65f703f947d38782e24274cdf2
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{126dedf0-cc0e-4b48-9ece-806b0e437195}\state.rsm
smt
MD5: 3193f7b0253e8e71011bbe77ffe00568
SHA256: 4b003b6f6b28b3ed813089e9c6e61ad2ee5abfce36eaaa611d85806f28497803
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\package_SDKDebuggers_x86_en_us.R
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\package_SDKDebuggers_x86_en_us
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay03217869F70E66A5C2D6DD75850FD0D9
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay03217869F70E66A5C2D6DD75850FD0D9.R
––
MD5:  ––
SHA256:  ––
2844
crypto.exe
C:\Users\admin\AppData\Local\Temp\_MEI28442\Microsoft.VC90.CRT.manifest
xml
MD5: 0bcae6094fda15852a9d5c1e1f03bb24
SHA256: 454e12bc0ded5a81b52f38d73942e9f0a1bd2073ac2e976f63a8af115c7ea296
3052
winsdksetup.exe
C:\ProgramData\Package Cache\.unverified\pay03217869F70E66A5C2D6DD75850FD0D9
––
MD5:  ––
SHA256:  ––
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{1AA664F4-B63F-74FD-35B6-993DDA3DEF81}v10.1.18362.1\Installers\34ef8c7e30b6852e56ba7a56fb7b3faa.cab
compressed
MD5: aaf5717917f4eb26b50d9366f4666ee3
SHA256: e51eaba26e70782a8af2b9db3117ed4f927ee1c23d05a1c7b82dfded82cf0c67
3052
winsdksetup.exe
C:\ProgramData\Package Cache\.unverified\pay11CA1EE986EC502246F3404081C57939
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay0476346607760183E155A637E561B320.R
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\BootstrapperApplicationData.xml
xml
MD5: 7f225f5ea5ec352d3720a61bff30a244
SHA256: b28e007339705645e5ac871a24fb6357e1101d7ff35d800064f92ef65b2b18db
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\UserExperienceManifest.xml
text
MD5: 98e3ca0ff7b6dadea3c65299086a3d3f
SHA256: f23bad2532bba72318cbfd1fb78a35e0d6b4ab9eba65010233a5d781d0ea89e3
3052
winsdksetup.exe
C:\ProgramData\Package Cache\.unverified\pay0476346607760183E155A637E561B320
––
MD5:  ––
SHA256:  ––
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{1AA664F4-B63F-74FD-35B6-993DDA3DEF81}v10.1.18362.1\Installers\e680f23450a21a27b2077dbdc08ca430.cab
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay058A7A6C79AF7FC1A6B0C192B3EF3CF1.R
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\license.rtf
text
MD5: 1c2304fd72c13d32e690924a5cb0f150
SHA256: 863a7b97ebd8fc2ba102fd7f12183cc75e281c5637f9a6ccb341cd0a2cfed297
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay058A7A6C79AF7FC1A6B0C192B3EF3CF1
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbapreq.png
image
MD5: a356956fd269567b8f4612a33802637b
SHA256: a401a225addaf89110b4b0f6e8cf94779e7c0640bcdd2d670ffcf05aab0dad03
3052
winsdksetup.exe
C:\ProgramData\Package Cache\.unverified\pay058A7A6C79AF7FC1A6B0C192B3EF3CF1
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbapreq.wxl
xml
MD5: 2598179319adf312d99fc4f9379572d3
SHA256: b3204b5ccfb0e5e7b43d8448b2b9e179423f1b139e53aa72616c498246090c3c
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\NetfxLicense.rtf
text
MD5: ec356d9bb20437848228f5c480fd111c
SHA256: 48ae54dd5a7dca60de835c384648433099c702bab71eb3339d88b96424db500e
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\mbapreq.thm
xml
MD5: 9f63155a23573d3e522cd28e982658b1
SHA256: df05ac2a44327303b718b9fc05d306047ec387ee551664b8eb9b3e48df24b5f9
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\.ba\BootstrapperCore.config
xml
MD5: 57aa0f7b5f6f076454f075a88bcc0cc9
SHA256: 361079f9f118e11ea3f05d75fd3874664c94334f453177242c8e32f0881a3527
3052
winsdksetup.exe
C:\ProgramData\Package Cache\{1AA664F4-B63F-74FD-35B6-993DDA3DEF81}v10.1.18362.1\Installers\4040fdfbcd753e650c0e3a5bce3ed7a2.cab
compressed
MD5: a74424ff70a325a6b9c7fd67ffdc1af7
SHA256: 299c8f9d66ba2254944d7ca12b48437ed420be80d3fefcaf550bee41fe4da30c
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay11CA1EE986EC502246F3404081C57939.R
––
MD5:  ––
SHA256:  ––
552
winsdksetup.exe
C:\Windows\Temp\{8138BF5E-4579-4E6D-B9A6-6296A927979D}\pay11CA1EE986EC502246F3404081C57939
––
MD5:  ––
SHA256:  ––
3052
winsdksetup.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: dd4d6273c3f63067314b1c7837b7abfd
SHA256: f10b7b4fe2046780eabbf902f35b5319552b51759fffbf99b80192db9b06d2fc

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
552 winsdksetup.exe GET 302 2.19.38.59:80 http://go.microsoft.com/fwlink/?prd=11966&pver=1.0&plcid=0x409&clcid=0x409&ar=Windows10&sar=SDK&o1=10.0.18362.1 unknown
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
552 winsdksetup.exe 2.19.38.59:80 Akamai International B.V. –– whitelisted
552 winsdksetup.exe 2.18.233.19:443 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
go.microsoft.com 2.19.38.59
whitelisted
download.microsoft.com 2.18.233.19
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.