General Info

File name

7z1900.msi

Full analysis
https://app.any.run/tasks/edb8c4eb-c466-4747-af5b-9ed871b00cf0
Verdict
Malicious activity
Analysis date
8/13/2019, 18:07:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {E0F63E23-BB2A-4641-AC60-A866CEBD2E50}, Number of Words: 10, Subject: PDF Files and Configuration of Computer, Author: DF Files and Configuration of Computer, Name of Creating Application: Advanced Installer 15.9 build daae28bc, Template: ;1033, Comments: This installer database contains the logic and data required to install PDF Files and Configuration of Computer., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5

1860af916b007f1013ef5746e95400cd

SHA1

0e41c17b397d1abb448445f520f5b4ae236be77e

SHA256

f64936bcb446ab56b259d8bcd1d47e452485b98a7d7182f2a02fd899dbda55f5

SSDEEP

98304:RYDo9Ai6UtaL9u8/vN/auoq3IovBYRN1IP/MjdSZbhSr:76UIY8t/S0vB6NCP/M02r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes to a start menu file
  • msiexec.exe (PID: 3600)
Executed via COM
  • DllHost.exe (PID: 2980)
  • DrvInst.exe (PID: 2744)
Executable content was dropped or overwritten
  • AdobeARM.exe (PID: 3488)
  • msiexec.exe (PID: 3600)
  • msiexec.exe (PID: 1404)
Creates files in the user directory
  • vlc.exe (PID: 2628)
  • msiexec.exe (PID: 3600)
Reads Environment values
  • MSIBFFC.tmp (PID: 2948)
Creates files in the program directory
  • AdobeARM.exe (PID: 3488)
Executed as Windows Service
  • vssvc.exe (PID: 3460)
Manual execution by user
  • explorer.exe (PID: 900)
  • vlc.exe (PID: 2628)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 1820)
  • MsiExec.exe (PID: 3952)
Application launched itself
  • msiexec.exe (PID: 3600)
  • AcroRd32.exe (PID: 3076)
  • RdrCEF.exe (PID: 1104)
Adds / modifies Windows certificates
  • DrvInst.exe (PID: 2744)
Application was dropped or rewritten from another process
  • MSIBFFC.tmp (PID: 2948)
Starts application with an unusual extension
  • msiexec.exe (PID: 3600)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3460)
Searches for installed software
  • msiexec.exe (PID: 3600)
Changes settings of System certificates
  • DrvInst.exe (PID: 2744)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (81.9%)
.mst
|   Windows SDK Setup Transform Script (9.2%)
.msp
|   Windows Installer Patch (7.6%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{E0F63E23-BB2A-4641-AC60-A866CEBD2E50}
Words:
10
Subject:
PDF Files and Configuration of Computer
Author:
DF Files and Configuration of Computer
LastModifiedBy:
null
Software:
Advanced Installer 15.9 build daae28bc
Template:
;1033
Comments:
This installer database contains the logic and data required to install PDF Files and Configuration of Computer.
Title:
Installation Database
Keywords:
Installer, MSI, Database
Pages:
200

Screenshots

Processes

Total processes
59
Monitored processes
17
Malicious processes
0
Suspicious processes
0

Behavior graph

+
start drop and start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs msibffc.tmp no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs vlc.exe adobearm.exe reader_sl.exe no specs explorer.exe no specs Shell Security Editor no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1404
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\7z1900.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\msihnd.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\ntmarta.dll

PID
3600
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\windows\installer\msibffc.tmp

PID
3952
CMD
C:\Windows\system32\MsiExec.exe -Embedding D049815FFC8633A81C325105865EBB15 C
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\local\temp\msi10a4.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\msi1160.tmp
c:\users\admin\appdata\local\temp\msi1190.tmp
c:\users\admin\appdata\local\temp\msi11ef.tmp

PID
3460
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2744
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005DC" "00000540"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
1820
CMD
C:\Windows\system32\MsiExec.exe -Embedding B620313885D4D08C47E986A5CEE904B2
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msibd2a.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
2948
CMD
"C:\Windows\Installer\MSIBFFC.tmp" /DontWait /dir "C:\Users\admin\AppData\Local\Temp\" Invoice.pdf
Path
C:\Windows\Installer\MSIBFFC.tmp
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Caphyon LTD
Description
File that launches another file
Version
15.9.0.0
Modules
Image
c:\windows\installer\msibffc.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\shdocvw.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe

PID
3076
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\Invoice.pdf"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Indicators
Parent process
MSIBFFC.tmp
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat Reader DC
Version
15.23.20070.215641
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\kbdus.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sspicli.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\program files\common files\adobe\arm\1.0\adobearm.exe

PID
3168
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\Invoice.pdf"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Indicators
No indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat Reader DC
Version
15.23.20070.215641
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.dll
c:\program files\adobe\acrobat reader dc\reader\agm.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
c:\windows\system32\version.dll
c:\program files\adobe\acrobat reader dc\reader\bib.dll
c:\program files\adobe\acrobat reader dc\reader\cooltype.dll
c:\program files\adobe\acrobat reader dc\reader\ace.dll
c:\windows\system32\profapi.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\acroform.api
c:\windows\system32\sensapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\adobe\acrobat reader dc\reader\axsle.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\digsig.api
c:\program files\adobe\acrobat reader dc\reader\plug_ins\ppklite.api
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\program files\adobe\acrobat reader dc\reader\axe8sharedexpat.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\weblink.api
c:\program files\adobe\acrobat reader dc\reader\plug_ins\escript.api
c:\windows\system32\winmm.dll
c:\program files\adobe\acrobat reader dc\reader\adobexmp.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\accessibility.api
c:\program files\adobe\acrobat reader dc\reader\plug_ins\annots.api
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\atmlib.dll
c:\program files\adobe\acrobat reader dc\reader\icuuc40.dll
c:\program files\adobe\acrobat reader dc\reader\icudt40.dll
c:\program files\adobe\acrobat reader dc\reader\icudt40_full.dll
c:\program files\adobe\acrobat reader dc\reader\bibutils.dll
c:\program files\adobe\acrobat reader dc\reader\sqlite.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\ia32.api
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mscms.dll
c:\windows\system32\userenv.dll
c:\program files\adobe\acrobat reader dc\reader\plug_ins\updater.api

PID
1104
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\kbdus.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\audioses.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\apphelp.dll

PID
1928
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1104.0.490431651\206576070" --allow-no-sandbox-job /prefetch:673131151
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
RdrCEF.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll

PID
2224
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1104.1.928838682\1992842677" --allow-no-sandbox-job /prefetch:673131151
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Indicators
No indicators
Parent process
RdrCEF.exe
User
admin
Integrity Level
LOW
Version:
Company
Adobe Systems Incorporated
Description
Adobe RdrCEF
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\acrocef\rdrcef.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\program files\adobe\acrobat reader dc\reader\acrocef\libcef.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll

PID
2628
CMD
"C:\Program Files\VideoLAN\VLC\vlc.exe"
Path
C:\Program Files\VideoLAN\VLC\vlc.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
VideoLAN
Description
VLC media player
Version
2.2.6
Modules
Image
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\program files\videolan\vlc\plugins\access\libdshow_plugin.dll
c:\windows\system32\oleaut32.dll
c:\program files\videolan\vlc\plugins\audio_output\libdirectsound_plugin.dll
c:\program files\videolan\vlc\plugins\audio_output\libwaveout_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirect3d_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirectdraw_plugin.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\program files\videolan\vlc\plugins\control\libhotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\control\libwin_hotkeys_plugin.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\program files\videolan\vlc\plugins\gui\libqt4_plugin.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\videolan\vlc\plugins\lua\liblua_plugin.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\program files\videolan\vlc\plugins\misc\libexport_plugin.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3488
CMD
"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:15.0 /MODE:3
Path
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Indicators
Parent process
AcroRd32.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe Reader and Acrobat Manager
Version
1.824.27.2646
Modules
Image
c:\program files\common files\adobe\arm\1.0\adobearm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wintrust.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\adobe\acrobat reader dc\reader\reader_sl.exe
c:\windows\system32\normaliz.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qmgrprxy.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wshext.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\program files\common files\adobe\arm\1.0\adobearmhelper.exe
c:\windows\system32\imagehlp.dll

PID
3576
CMD
"C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
Path
C:\Program Files\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
Indicators
No indicators
Parent process
AdobeARM.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Adobe Systems Incorporated
Description
Adobe Acrobat SpeedLauncher
Version
15.23.20053.211670
Modules
Image
c:\program files\adobe\acrobat reader dc\reader\reader_sl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp120.dll
c:\windows\system32\msvcr120.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
900
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll

PID
2980
CMD
C:\Windows\system32\DllHost.exe /Processid:{4D111E08-CBF7-4F12-A926-2C7920AF52FC}
Path
C:\Windows\system32\DllHost.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
COM Surrogate
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
1245
Read events
1005
Write events
234
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
40000000000000004200066BF151D501100E0000C00D0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
40000000000000004200066BF151D501100E0000C00D0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000E2252C6BF151D501100E0000C00D0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
40000000000000003C882E6BF151D501100E000038080000E8030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
4000000000000000F4BAE36BF151D501100E000038080000E8030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
40000000000000009A39D771F151D501100E0000C00D0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
40000000000000009A39D771F151D501100E0000C00D0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000006A4CEA71F151D501100E0000C00D0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
40000000000000003A5FFD71F151D501100E0000A80F0000E9030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
400000000000000026C01E72F151D501100E0000A80F0000E9030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
400000000000000026C01E72F151D501100E0000B40E0000F9030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000420E2D72F151D501100E0000B40E0000F9030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000F6D23172F151D501100E0000C00D00000A040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000CC8A4D73F151D501100E00008C0900000A040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
4000000000000000CC8A4D73F151D501100E0000C00D0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000CC8A4D73F151D501100E0000C00D0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
4200066BF151D501
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
100E000004493059F151D501
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
02B393598C42C787E0184E436F2082D64F0E23E5012C11A18D5653D8EAA3754F
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\37bad9.ipi
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37bada.rbs
30757369
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37bada.rbsLow
3586125776
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\9C82AAD8C267F3149838D666394940AA
15154AC9645D4024F881BAEDFBB38A58
C:\Users\admin\AppData\Roaming\DF Files and Configuration of Computer\PDF Files and Configuration of Computer\
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D63C369782CAAC64492A827949DC9EA1
15154AC9645D4024F881BAEDFBB38A58
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InternetExplorer.lnk
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\79FA645321954CE47AC61FAB14AB94AC
15154AC9645D4024F881BAEDFBB38A58
C:\Users\admin\AppData\Local\Temp\Invoice.pdf
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\CB913B42ABFAE894CA18CD5B5D126458
15154AC9645D4024F881BAEDFBB38A58
01:\Software\DF Files and Configuration of Computer\PDF Files and Configuration of Computer\Version
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\ACD1E3AEEE50982438CEE03BD3F168C6
15154AC9645D4024F881BAEDFBB38A58
C:\Users\admin\AppData\Roaming\config.vbs
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\DF Files and Configuration of Computer\PDF Files and Configuration of Computer\
1
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\DF Files and Configuration of Computer\
1
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\DF Files and Configuration of Computer\PDF Files and Configuration of Computer
Version
1.0.1
3600
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\DF Files and Configuration of Computer\PDF Files and Configuration of Computer
Path
C:\Users\admin\AppData\Roaming\DF Files and Configuration of Computer\PDF Files and Configuration of Computer\
3600
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
3600
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
3600
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
3600
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
3600
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3600
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
3600
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000DCAD546BF151D501840D0000900A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000DCAD546BF151D501840D00009C080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000DCAD546BF151D501840D0000940F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000DCAD546BF151D501840D0000D40E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000060856C6BF151D501840D00009C080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000BAE76E6BF151D501840D0000D40E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000144A716BF151D501840D0000900A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000006EAC736BF151D501840D0000940F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000E0FCFA71F151D501840D0000940F000001040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000003A5FFD71F151D501840D0000940F000001040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000A2E80672F151D501840D0000940F0000E9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000A2E80672F151D501840D0000D40E0000E9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000A2E80672F151D501840D0000900A0000E9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000000A721072F151D501840D0000D40E0000E9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A721072F151D501840D0000D40E000001000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
40000000000000000A721072F151D501840D0000940F0000E9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A721072F151D501840D0000940F000001000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
400000000000000064D41272F151D501840D0000900A0000E9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000064D41272F151D501840D0000900A000001000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
40000000000000008E492872F151D501840D00009C080000F9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
40000000000000008E492872F151D501840D0000940F0000F9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
40000000000000008E492872F151D501840D0000D40E0000F9030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000E8AB2A72F151D501840D0000940F0000F9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000E8AB2A72F151D501840D0000D40E0000F9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000E8AB2A72F151D501840D00009C080000F9030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000F6D23172F151D501840D0000000B000002040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000E46AAB72F151D501840D0000000B000002040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
40000000000000003ECDAD72F151D501840D0000000B0000EA030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000B47DBE72F151D501840D0000900E0000EA030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000B47DBE72F151D501840D0000340D0000EA030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000B47DBE72F151D501840D0000FC0F0000EA030000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000A0DEDF72F151D501840D0000340D0000EA030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000A0DEDF72F151D501840D0000340D000002000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000A0DEDF72F151D501840D0000FC0F0000EA030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000A0DEDF72F151D501840D0000FC0F000002000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000FA40E272F151D501840D0000900E0000EA030000000000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000FA40E272F151D501840D0000900E000002000000010000000100000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
400000000000000040040673F151D501840D0000000B0000EA030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
400000000000000040040673F151D501840D0000000B0000EB030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
400000000000000040040673F151D501840D0000000B0000EC030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000004E2B0D73F151D501840D0000340D0000EB030000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000004E2B0D73F151D501840D0000340D0000EB030000000000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000004E2B0D73F151D501840D0000340D000003000000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000004E2B0D73F151D501840D000088080000FC030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000A88D0F73F151D501840D0000000B0000EC030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000A88D0F73F151D501840D0000000B0000ED030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
400000000000000010171973F151D501840D0000000B0000ED030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
400000000000000010171973F151D501840D0000000B0000EE030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
40000000000000001E3E2073F151D501840D0000B40E0000EB030000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
40000000000000001E3E2073F151D501840D0000B40E0000EB030000000000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000001E3E2073F151D501840D0000B40E000003000000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000001E3E2073F151D501840D00006C0A0000FC030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000D2022573F151D501840D0000000B0000EE030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000D2022573F151D501840D0000000B0000F0030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000D2022573F151D501840D0000000B0000F0030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000D2022573F151D501840D0000000B0000EF030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000003A8C2E73F151D501840D0000340D0000EB030000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000048B33573F151D501840D0000340D0000EB030000000000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000048B33573F151D501840D0000340D000003000000010000000200000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000048B33573F151D501840D000098040000FC030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
400000000000000048B33573F151D501840D0000000B0000EF030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
400000000000000048B33573F151D501840D0000000B0000EB030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
400000000000000048B33573F151D501840D0000000B000003040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
400000000000000048B33573F151D501840D0000000B000003040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000A2153873F151D501840D0000000B0000FD030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000A2153873F151D501840D000080060000FD030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000000A9F4173F151D501840D000080060000FD030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000000A9F4173F151D501840D0000000B0000FD030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000000A9F4173F151D501840D000080060000FE030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000072284B73F151D501840D000080060000FE030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
400000000000000072284B73F151D501840D000080060000FF030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
400000000000000072284B73F151D501840D000080060000FF030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000000A9F4173F151D501840D0000000B0000FE030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000072284B73F151D501840D0000000B0000FE030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
400000000000000072284B73F151D501840D0000000B0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
400000000000000072284B73F151D501840D0000000B0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
400000000000000072284B73F151D501840D0000200D000004040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
400000000000000072284B73F151D501840D0000200D000004040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
400000000000000072284B73F151D501840D0000000B000005040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000CC8A4D73F151D501840D0000000B000005040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000CC8A4D73F151D501840D0000000B0000F4030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000CC8A4D73F151D501840D0000000B0000F4030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000CC8A4D73F151D501840D0000000B0000F2030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000423B5E73F151D501840D0000FC0F0000F2030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000423B5E73F151D501840D0000900E0000F2030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000423B5E73F151D501840D0000780C0000F2030000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000423B5E73F151D501840D00006C0A0000FC030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000423B5E73F151D501840D000098040000FC030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000423B5E73F151D501840D000088080000FC030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000423B5E73F151D501840D0000FC0F0000F2030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000423B5E73F151D501840D0000780C0000F2030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000423B5E73F151D501840D0000900E0000F2030000000000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000423B5E73F151D501840D0000FC0F000004000000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000423B5E73F151D501840D0000780C000004000000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000423B5E73F151D501840D0000900E000004000000010000000300000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000423B5E73F151D501840D0000000B0000F2030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000423B5E73F151D501840D0000000B000006040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
40000000000000001AFDA073F151D501840D0000000B000006040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
40000000000000001AFDA073F151D501840D0000000B0000F5030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000C849CE73F151D501840D0000780C0000F5030000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000C849CE73F151D501840D0000900E0000F5030000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000C849CE73F151D501840D0000FC0F0000F5030000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000C849CE73F151D501840D0000780C0000F5030000000000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000C849CE73F151D501840D0000780C000005000000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
400000000000000022ACD073F151D501840D0000FC0F0000F5030000000000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000022ACD073F151D501840D0000FC0F000005000000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000E8058D74F151D501840D0000900E0000F5030000000000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000E8058D74F151D501840D0000900E000005000000010000000400000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000E8058D74F151D501840D0000000B0000F5030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000E8058D74F151D501840D0000000B000007040000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000D466AE74F151D501840D0000000B000007040000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000004A17BF74F151D501840D0000000B0000FB030000010000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000004C4E1775F151D501840D0000FC0F0000FB030000010000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000004C4E1775F151D501840D0000B40E0000FB030000010000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000004C4E1775F151D501840D0000340D0000FB030000010000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000004C4E1775F151D501840D0000FC0F0000FB030000000000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000004C4E1775F151D501840D0000B40E0000FB030000000000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000004C4E1775F151D501840D0000340D0000FB030000000000000500000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
3460
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000004C4E1775F151D501840D0000000B0000FB030000000000000000000000000000CE34D4FEC26501438671F463D84EC1B40000000000000000
2744
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2744
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF153000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B0020004300410000006200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E1400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F71D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C20303000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E2000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
2744
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
1900000001000000100000001F7E750B566B128AC0B8D6576D2A70A503000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E1D0000000100000010000000E3F9AF952C6DF2AAA41706A77A44C2031400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F76200000001000000200000005C58468D55F58E497E743982D2B50010B6D165374ACF83A7D4A32DB768C4408E0B0000000100000034000000430065007200740075006D002000540072007500730074006500640020004E006500740077006F0072006B002000430041000000090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030306082B06010505070308060A2B0601040182370A030406082B0601050507030606082B0601050507030753000000010000006500000030633021060B2A84680186F6770205010130123010060A2B0601040182373C0101030200C03021060B2A84680186F6770205010730123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF12000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
3076
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3076
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@%SystemRoot%\system32\p2pcollab.dll,-8042
Peer to Peer Trust
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@%SystemRoot%\system32\qagentrt.dll,-10
System Health Authentication
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@%SystemRoot%\system32\dnsapi.dll,-103
Domain Name System (DNS) Server Trust
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@%SystemRoot%\System32\fveui.dll,-843
BitLocker Drive Encryption
3076
AcroRd32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@%SystemRoot%\System32\fveui.dll,-844
BitLocker Data Recovery Agent
3076
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3076
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
1404
msiexec.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
bLastExitNormal
0
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs
bForms_AdhocWorkflowBackup
0
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs
bJSCache_GlobData
1
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\DC\DiskCabs
bJSCache_GlobSettings
0
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral
bExpandRHPInViewer
1
3168
AcroRd32.exe
write
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\NoTimeOut
smailto
5900
3488
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM
iSpeedLauncherLogonTime
E81A0822C946D501
3488
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3488
AdobeARM.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3488
AdobeARM.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
7
Suspicious files
15
Text files
88
Unknown types
14

Dropped files

PID
Process
Filename
Type
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\S\4178\AdobeARM.msi
executable
MD5: daef9610629678de57c4567339f6e52c
SHA256: 9aebffc9bb8192c5ba7e51bf7b47246d53837fab2b435d71ccaeaee1cd74c701
3600
msiexec.exe
C:\Windows\Installer\MSIBFFC.tmp
executable
MD5: f46359be28529f3d545a469e0e0abdd7
SHA256: 357d53341f3896612a347e7428a3a326477be3cf8047c9fd1978de5b6ec17712
3600
msiexec.exe
C:\Users\admin\AppData\Roaming\ContractsInvoices.msi
executable
MD5: 152f535c30acd8a01ce71cfc005b3d4c
SHA256: d7ecb50e869809068396d7bc818677c116353fbfd3c5f21ce15850c9a9205288
3600
msiexec.exe
C:\Windows\Installer\MSIBD2A.tmp
executable
MD5: 318dea4099b577bc51ae5e21eb8c566d
SHA256: f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f
3600
msiexec.exe
C:\Windows\Installer\37bad8.msi
executable
MD5: 1860af916b007f1013ef5746e95400cd
SHA256: f64936bcb446ab56b259d8bcd1d47e452485b98a7d7182f2a02fd899dbda55f5
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI1190.tmp
executable
MD5: 318dea4099b577bc51ae5e21eb8c566d
SHA256: f335e99ea0a95b99e32d6b60c67621db8e5d096e9d77a0c8f2defcde8f32f54f
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\S\4178\AdobeARMHelper.exe
executable
MD5: 7182705213142ee4dcf722aa247dd55c
SHA256: f9b595f657589a25f6f247b4cdd0de7f2ba0319b015d33f000728bfc11d0a1c2
3600
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFC6B56EC20DE0CA61.TMP
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: c99582152c43232c3f13e6eefaa05aa9
SHA256: 7dcbd82e912d3da9621c82df8ba7078f068bf3230a489481d270a17ffc0b0cb7
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp5655.tmp
––
MD5:  ––
SHA256:  ––
2628
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\ml.xspf
xml
MD5: 781602441469750c3219c8c38b515ed4
SHA256: 81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
2628
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\ml.xspf.tmp2628
––
MD5:  ––
SHA256:  ––
2628
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlc-qt-interface.ini
text
MD5: 78a0805296c4ad889194d19a8217157c
SHA256: c5024021b29340afc045221a4a082096615eba8407139048bb52268a46afb26d
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: a5deee52b298967638b05dc479def3a9
SHA256: 932ad7d7735eabddcecd281d859df90619225c5ff6d3d5c717b4bcbae46b094d
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp6FB2.tmp
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp6FA1.tmp
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: 0972689577e6b2ccf42d3c1ff64e2402
SHA256: 018f194d824aaa510bd87f8b194b01ab7d828f0044641d7f45032c418d7be82f
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\ArmUI.ini
text
MD5: 864c22fb9a1c0670edf01c6ed3e4fbe4
SHA256: b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 0c988b2be1a3dd3f672faa91054d054c
SHA256: b1d2a16f463088e0e9a58649cafd14722b7a54589d7ee4339e5e9946f06c47aa
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1w8bow4_15oycok_2g0.tmp
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R17rkjtx_15oycoj_2g0.tmp
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1p6vkef_15oycoh_2g0.tmp
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1y2kxst_15oycoi_2g0.tmp
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rptyx2r_15oycog_2g0.tmp
––
MD5:  ––
SHA256:  ––
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: d8d379a95d759bcf87441ab5e65bf088
SHA256: db3f8f5477d9dec84fd81dfdc58be509ccf277472e36dc2632785fabee76372a
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
binary
MD5: 0f34eb8eee320d85555c4ed9b0f25b95
SHA256: 54922659f4fded074c3d2767c55ab6d58f7417745ea9111ce33cc42fdf398d97
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: b93b145fe0eb9ccadf3b49905c4a0ae2
SHA256: 8928b58dc44f172b2bea427a12bc8aa05e44873e6425a6fe6f302964c5a59822
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 26a8885ce9b1e03aac7d6ae6e1343801
SHA256: 37dd44e1ab880b4baefc5abf97b1e24444fe8a3d880a245199ae16e7a520c5a8
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: eab71718813cfe89151bbfdc77f7a471
SHA256: cb34a1f8ae424cd9d25fc4a2081ad0f8a5943a027ec5e30d7a02f5bd56ec80a0
3168
AcroRd32.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
sqlite
MD5: 0b8bdbb076b08e5036ed7e9d59564860
SHA256: 60e1fe70c2c455f22d9be3e19cab4ff36c4d12d92b5058ee5ce71a8c8373e3eb
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Riayud1_15oycoe_2g0.tmp
pdf
MD5: fdac024552542d3c1bbb6d4e6783e5f5
SHA256: 21f075b53a71eef4fbe7b089dad64a88a89da1321cfb0440919723c6a5f906e0
3168
AcroRd32.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1rxdzje_15oycod_2g0.tmp
pdf
MD5: d69bf55cfeedf87398b400fca7c694a6
SHA256: 3a72d861f138d4f05bf5f7640524733fffe2e431aadb9137bf6612e2751d71ba
3460
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\TarE0F.tmp
––
MD5:  ––
SHA256:  ––
3600
msiexec.exe
C:\Windows\Installer\37bad9.ipi
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: 5ede90dc57ed27aeec735cf38c99c0a9
SHA256: d94530922b06377a6c476ddc2f1bc79c683022baa10c8f40409a3eec085381ef
3600
msiexec.exe
C:\Config.Msi\37bada.rbs
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\TmpB2A1.tmp
––
MD5:  ––
SHA256:  ––
3600
msiexec.exe
C:\Users\admin\AppData\Roaming\config.vbs
text
MD5: d803eff793eea2ca0b61cf2076460fd6
SHA256: 55c7faeef9ebd820e4e1c6ca5447b08491b1584b4fdbd4eb625c07a9847ab427
3600
msiexec.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InternetExplorer.lnk
lnk
MD5: 540a1231cde3e2ef4a55b9fc42d21a92
SHA256: fd4a7b7904e9528cf426fce17b39328b7aac0768bc6f0a7dc40afd6e51c9f2ce
3600
msiexec.exe
C:\Users\admin\AppData\Local\Temp\Invoice.pdf
pdf
MD5: 18004369aba85cb86f3688c8b2e1f962
SHA256: 6657a8429c1ed50a9c2314aa535684abfb9655a12ef7322a2f2785bb372c4ca1
3600
msiexec.exe
C:\Windows\Installer\MSIBEF0.tmp
binary
MD5: 856cf993eb2c7cfee2e3b6edbee67635
SHA256: 585618335b49d6b00ced8f7ca0896bdabc8a24ac0152448847d2e9f8abe96b80
3600
msiexec.exe
C:\Windows\Installer\37bad9.ipi
binary
MD5: 395e7eb90fc6c4127835d06b36c633b0
SHA256: 0c9af92b73b6fc8acc7d832bb2f996f31ad6ed0923075e48688c24244baca784
3600
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF4C20B29812A48B10.TMP
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp724B.tmp
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\ProgramData\Adobe\ARM\ArmReport.ini
text
MD5: ed9a489ce308aa7938012744b2be54d5
SHA256: 671f3747af620422de3046a614b37a4ceb67742ae8ef6f8def63fc7791bd22cb
2744
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 4e8aaf34e30d93f1623f3925e29e2a3c
SHA256: 7acbcd8754125b5a0dddf71f8d8ae6c2b38bc3cdf221baded1382b8ef4640a74
2744
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 7f34eb805ec4aee0a8eb92bbc6be3e33
SHA256: ff3ab2c7cb6ed89e279e772e702871a87f438e8ef4d199b7b79975df3621f4c3
2744
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 06665d57a2036f25d7aed557a16b77d2
SHA256: d384884b985398692e83e16c09b2ca9674e14ec440a9a6c70bc339f1070c7b64
2744
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
2744
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: f7872d1102373a7996bbcfe7f0b3c12c
SHA256: 78ee2f0cffa9aec7df9eb997b031f2aa7389fa44fa91d621631baf7ceb5ea08a
3600
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
3600
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: ab81ab831279aafcc000168396ab24f7
SHA256: 1684c33077b0a8f6d269a7118bddbc19ec4ed01e185f618909ead01714f5f79b
3600
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{fed434ce-65c2-4301-8671-f463d84ec1b4}_OnDiskSnapshotProp
binary
MD5: ab81ab831279aafcc000168396ab24f7
SHA256: 1684c33077b0a8f6d269a7118bddbc19ec4ed01e185f618909ead01714f5f79b
1404
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F
der
MD5: d5e98140c51869fc462c8975620faa78
SHA256: 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
1404
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F
binary
MD5: 3aa75fcb6ceced2a8b8020c01e60ff03
SHA256: 7eafe0934a6502113abe65e118cfc98670520463db2dc7f6782280f89a1a2cda
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI11EF.tmp
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\Tmp723B.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI1160.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI10A4.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 132518462f0848a4f600389c20ba7cc8
SHA256: b56c366bf4aa894501b1fe9a3df62eb66d11d476cb6e009ee12cb72f4046cc73
1404
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 58a3badc25e15583224e2b922f370a4f
SHA256: 7e0630e9c468031329cad1a21bfb37c12153bda0f4d6298ee1b8682dd0c35f8a
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\CabEDD.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\TarEDE.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\TarE20.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\CabE1F.tmp
––
MD5:  ––
SHA256:  ––
1404
msiexec.exe
C:\Users\admin\AppData\Local\Temp\CabE0E.tmp
––
MD5:  ––
SHA256:  ––
3488
AdobeARM.exe
C:\Users\admin\AppData\Local\Temp\TmpB2B2.tmp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
7
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1404 msiexec.exe GET –– 23.111.11.204:80 http://repository.certum.pl/ctnca.cer US
––
––
whitelisted
1404 msiexec.exe GET 200 67.27.142.126:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted
1404 msiexec.exe GET 200 67.27.142.126:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/07E032E020B72C3F192F0628A2593A19A70F069E.crt US
der
whitelisted
3076 AcroRd32.exe GET 304 2.16.186.97:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip unknown
––
––
whitelisted
3076 AcroRd32.exe GET 304 2.16.186.97:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip unknown
––
––
whitelisted
3076 AcroRd32.exe GET 304 2.16.186.97:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip unknown
––
––
whitelisted
3076 AcroRd32.exe GET 304 2.16.186.97:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip unknown
––
––
whitelisted
3076 AcroRd32.exe GET 304 2.16.186.97:80 http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip unknown
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1404 msiexec.exe 23.111.11.204:80 netDNA US unknown
1404 msiexec.exe 67.27.142.126:80 Level 3 Communications, Inc. US unknown
3076 AcroRd32.exe 2.16.186.97:80 Akamai International B.V. –– whitelisted
3076 AcroRd32.exe 2.18.233.74:443 Akamai International B.V. –– whitelisted
–– –– 2.18.233.74:443 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
repository.certum.pl 23.111.11.204
whitelisted
www.download.windowsupdate.com 67.27.142.126
67.26.81.254
8.247.185.126
8.241.9.254
8.248.99.254
whitelisted
acroipm2.adobe.com 2.16.186.97
2.16.186.57
whitelisted
armmf.adobe.com 2.18.233.74
whitelisted
ardownload2.adobe.com 2.18.233.74
whitelisted

Threats

No threats detected.

Debug output strings

Process Message
vlc.exe core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.