VMRay Analyzer Report for Sample #609219 VMRay Analyzer 1.11.0 Process 3272 1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe 2044 1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe "C:\Users\WI2yhmtI onvScY7Pe\Desktop\1129c5049ff7842161800d20141de5848888ea44_(B-Ware)_vt.malware.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe Opened Created Created Created Created Created Created Copied Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2044 explorer.exe 18446744073709551615 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32 c:\windows\explorer.exe Process 3412 explorer.exe 3272 explorer.exe explorer.exe C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\explorer.exe Process 4464 iexplore.exe 3272 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt MD5 9bb977482db6a5634db518794afcca36 SHA1 2c4d14edf3d59ac1efa272ce05123fb8e0e6207a SHA256 e3a2557d763f89af1ed314225273d1f379c0e4a9fda84da038bad5e5c872b183 File windows\system32\install windows\system32\install c:\ c:\windows\system32\install File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe c:\ c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe exe Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Windows\system32\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Windows\system32\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Windows\system32\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER File Users\WI2yhmtI onvScY7Pe\Desktop\1129c5049ff7842161800d20141de5848888ea44_(B-Ware)_vt.malware.exe Users\WI2yhmtI onvScY7Pe\Desktop\1129c5049ff7842161800d20141de5848888ea44_(B-Ware)_vt.malware.exe C:\ C:\Users\WI2yhmtI onvScY7Pe\Desktop\1129c5049ff7842161800d20141de5848888ea44_(B-Ware)_vt.malware.exe exe Process 3412 explorer.exe 3272 explorer.exe explorer.exe C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\explorer.exe Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Opened Deleted Opened Opened Opened Opened Created Created Created Opened Opened Process C:\Windows\system32\install\svhost.exe None File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Mutex ***MUTEX***_PERSIST Mutex ***MUTEX***_SAIR Mutex ***MUTEX*** WinRegistryKey Software\Borland\Locales HKEY_CURRENT_USER WinRegistryKey Software\Borland\Locales HKEY_LOCAL_MACHINE WinRegistryKey Software\Borland\Delphi\Locales HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath StubPath WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath StubPath WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Windows\system32\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Windows\system32\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Windows\system32\install\svhost.exe REG_EXPAND_SZ File File Windows\SysWOW64\explorer.exe Windows\SysWOW64\explorer.exe C:\ C:\Windows\SysWOW64\explorer.exe exe Process 4524 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Copied Created Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4540 iexplore.exe 4524 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe MD5 64699a728e510f29d578edaf3d3cd163 SHA1 1129c5049ff7842161800d20141de5848888ea44 SHA256 6449a8fbc725572f4f151017fc13dcf913b45fef7392e32f71df103efdb8c97f Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install users\wi2yhmti onvscy7pe\appdata\roaming\install c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER File Windows\SysWOW64\install\svhost.exe Windows\SysWOW64\install\svhost.exe C:\ C:\Windows\SysWOW64\install\svhost.exe exe Process 4552 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4568 iexplore.exe 4552 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4580 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4604 iexplore.exe 4580 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4620 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4632 iexplore.exe 4620 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4640 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4652 iexplore.exe 4640 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4660 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4724 iexplore.exe 4660 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4672 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4744 iexplore.exe 4672 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4684 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4752 iexplore.exe 4684 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4696 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4776 iexplore.exe 4696 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4712 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4808 iexplore.exe 4712 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4732 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4832 iexplore.exe 4732 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4760 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4840 iexplore.exe 4760 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4788 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4880 iexplore.exe 4788 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4800 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4900 iexplore.exe 4800 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4820 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4940 iexplore.exe 4820 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4888 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4972 iexplore.exe 4888 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4912 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4996 iexplore.exe 4912 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4948 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 5020 iexplore.exe 4948 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4960 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 5040 iexplore.exe 4960 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4984 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 5060 iexplore.exe 4984 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 5012 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 5088 iexplore.exe 5012 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 5048 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 5108 iexplore.exe 5048 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 5068 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 3384 iexplore.exe 5068 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 5080 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 1076 iexplore.exe 5080 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 5100 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 1028 iexplore.exe 5100 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 3392 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4196 iexplore.exe 3392 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4140 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 1672 iexplore.exe 4140 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 2036 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 1804 iexplore.exe 2036 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4184 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2976 iexplore.exe 4184 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 1296 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4420 iexplore.exe 1296 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4516 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 3304 iexplore.exe 4516 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4452 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 1808 iexplore.exe 4452 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 132 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4028 iexplore.exe 132 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 2124 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2180 iexplore.exe 2124 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 3444 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 3164 iexplore.exe 3444 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 3312 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4852 iexplore.exe 3312 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 4496 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4444 iexplore.exe 4496 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 2432 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 4432 iexplore.exe 2432 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 1872 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 4560 iexplore.exe 1872 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 4436 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 1204 iexplore.exe 4436 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 1388 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 540 iexplore.exe 1388 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 3408 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2940 iexplore.exe 3408 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 1796 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 500 iexplore.exe 1796 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 2272 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 2908 iexplore.exe 2272 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Process 2300 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2244 iexplore.exe 2300 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER File sice Process 2684 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Deleted Deleted Created Created Created Created Opened Opened Opened Opened Opened Created Created Created Deleted Opened File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 2644 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 2860 iexplore.exe 2644 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Process 536 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Deleted Created Opened Process 1756 iexplore.exe 536 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ Mutex _x_X_UPDATE_X_x_ Process 996 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Process 3032 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Created Deleted Deleted Created Created Created Created Created Opened Opened Opened Opened Opened Opened Created Created Created Deleted Opened Process 504 iexplore.exe 3032 iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\program files\internet explorer\iexplore.exe File sice File ntice File users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt c:\ c:\users\wi2yhm~1\appdata\local\temp\xx--xx--xx.txt txt File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** Mutex ***MUTEX***_PERSIST WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey http\shell\open\command HKEY_CLASSES_ROOT WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER File sice Process 1232 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Deleted Deleted Created Created Created Created Opened Opened Opened Opened Opened Created Created Created Deleted Opened File ntice File windows\system32\install\svhost.exe windows\system32\install\svhost.exe c:\ c:\windows\system32\install\svhost.exe exe Copied_To File users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe c:\ c:\users\wi2yhmti onvscy7pe\appdata\roaming\install\svhost.exe exe Copied_To File windows\syswow64\install\svhost.exe windows\syswow64\install\svhost.exe c:\ c:\windows\syswow64\install\svhost.exe exe Copied_From Copied_From Mutex _x_X_UPDATE_X_x_ Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Mutex ***MUTEX*** WinRegistryKey Software\Microsoft\Windows\CurrentVersion HKEY_LOCAL_MACHINE ProductId WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER AppData AppData WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies Policies WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies Policies WinRegistryKey Software\Microsoft\Active Setup\Installed Components\ HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_LOCAL_MACHINE Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKEY_CURRENT_USER Policies C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe REG_EXPAND_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_LOCAL_MACHINE StubPath C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe Restart REG_SZ WinRegistryKey Software\Microsoft\Active Setup\Installed Components\\{0H1OR2U5-6472-LCE1-8H05-HC2B1WMDD8RA} HKEY_CURRENT_USER Mutex _x_X_UPDATE_X_x_ Process 2340 svhost.exe 3412 svhost.exe "C:\Windows\system32\install\svhost.exe" C:\Users\WI2yhmtI onvScY7Pe\Desktop c:\windows\syswow64\install\svhost.exe Created Created Created Mutex _x_X_PASSWORDLIST_X_x_ Mutex _x_X_BLOCKMOUSE_X_x_ Analyzed Sample #609219 Malware Artifacts 609219 Sample-ID: #609219 Job-ID: #661713 This sample was analyzed by VMRay Analyzer 1.11.0 on a Windows 10 system 77 VTI Score based on VTI Database Version 2.2 Metadata of Sample File #609219 Submission-ID: #609219 C:\Users\WI2yhmtI onvScY7Pe\Desktop\1129c5049ff7842161800d20141de5848888ea44_(B-Ware)_vt.malware.exe exe MD5 64699a728e510f29d578edaf3d3cd163 SHA1 1129c5049ff7842161800d20141de5848888ea44 SHA256 6449a8fbc725572f4f151017fc13dcf913b45fef7392e32f71df103efdb8c97f Opened_By VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "_x_X_UPDATE_X_x_". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "_x_X_PASSWORDLIST_X_x_". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "_x_X_BLOCKMOUSE_X_x_". Create system object Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_application_sandbox_by_dll Possibly trying to detect "Sandboxie" by checking for existance of module "SbieDll.dll". Try to detect application sandbox Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "***MUTEX***". Create system object File System VTI rule match with VTI rule score 1/5 vmray_modify_windows_dir_by_file Modify "c:\windows\system32\install\svhost.exe". Modify operating system directory Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add "C:\Windows\system32\install\svhost.exe" to windows startup via registry. Install system startup script or application Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "***MUTEX***_PERSIST". Create system object Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Allocate a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. Allocate a page with write and execute permissions Anti Analysis VTI rule match with VTI rule score 1/5 vmray_dynamic_api_usage_by_api Resolve more than 50 APIs. Dynamic API usage Process VTI rule match with VTI rule score 1/5 vmray_allocate_wx_page Change the protection of a page from writable ("PAGE_READWRITE") to executable ("PAGE_EXECUTE_READ"). Allocate a page with write and execute permissions Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "explorer.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Program Files\Internet Explorer\iexplore.exe" starts with hidden window. Create process with hidden window Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "***MUTEX***_SAIR". Create system object Process VTI rule match with VTI rule score 1/5 vmray_create_process_with_hidden_window The process "C:\Windows\system32\install\svhost.exe" starts with hidden window. Create process with hidden window Persistence VTI rule match with VTI rule score 1/5 vmray_install_startup_script_by_registry Add "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\install\svhost.exe" to windows startup via registry. Install system startup script or application Anti Analysis VTI rule match with VTI rule score 3/5 vmray_detect_virtualpc_by_vpcext Possibly trying to detect VirtualPC via vpcext instruction at "0xb073f0f". Try to detect virtual machine Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\explorer.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\windows\syswow64\explorer.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_modify_memory "c:\windows\syswow64\install\svhost.exe" modifies memory of "c:\program files\internet explorer\iexplore.exe" Write into memory of an other process Injection VTI rule match with VTI rule score 3/5 vmray_create_remote_thread "c:\users\wi2yhmti onvscy7pe\desktop\1129c5049ff7842161800d20141de5848888ea44_(b-ware)_vt.malware.exe" creates thread in "c:\windows\syswow64\explorer.exe" Modify control flow of an other process Process VTI rule match with VTI rule score 1/5 vmray_control_flow_obfuscation Modify exception handler (e.g., the instruction pointer is modified within an exception handler filter). Obfuscate control flow Process VTI rule match with VTI rule score 2/5 vmray_create_many_processes More than 50 processes were monitored. Create many processes