General Info

File name

1SCX7734769589574545.msi

Full analysis
https://app.any.run/tasks/08a8d09a-9d54-4164-bd00-40eb4bee148f
Verdict
Malicious activity
Analysis date
10/9/2019, 21:33:00
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {BB0E8E78-DEDE-4650-9987-BBDA435E617D}, Number of Words: 10, Subject: SCUFhHngaDCD4NEL15, Author: SCUFhHngaDCD4NEL15, Name of Creating Application: Advanced Installer 16.2 build 436ecd62, Template: ;3082, Comments: Esta base de datos del instalador contiene la lgica y los datos necesarios para instalar SCUFhHngaDCD4NEL15., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5

f9654ad045c8b0be904d68a0d81510ab

SHA1

bfeccb1c3a5a1418e5eb74817ee40396f28fa527

SHA256

0b7c0103eb9c3839c667720ce469318e9a2809186ae6c1dd1a65a3916935b15c

SSDEEP

12288:N9fYTFIWlAJPlP41dpd5e6mBLUVEVWE72W8wrkAyJ:NJYTFId/5IqVXCWJrkAy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes to a start menu file
  • MsiExec.exe (PID: 3664)
Changes settings of System certificates
  • msiexec.exe (PID: 2944)
Executed via COM
  • DrvInst.exe (PID: 2292)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2936)
Creates files in the user directory
  • MsiExec.exe (PID: 3664)
Executed as Windows Service
  • vssvc.exe (PID: 3128)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3128)
Searches for installed software
  • msiexec.exe (PID: 2936)
Application launched itself
  • msiexec.exe (PID: 2936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{BB0E8E78-DEDE-4650-9987-BBDA435E617D}
Words:
10
Subject:
SCUFhHngaDCD4NEL15
Author:
SCUFhHngaDCD4NEL15
LastModifiedBy:
null
Software:
Advanced Installer 16.2 build 436ecd62
Template:
;3082
Comments:
Esta base de datos del instalador contiene la lógica y los datos necesarios para instalar SCUFhHngaDCD4NEL15.
Title:
Installation Database
Keywords:
Installer, MSI, Database
Pages:
200

Screenshots

Processes

Total processes
38
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

+
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2944
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\1SCX7734769589574545.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\msihnd.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\riched20.dll

PID
2936
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll

PID
2588
CMD
C:\Windows\system32\MsiExec.exe -Embedding 52E9A8F8B2D957FC89A36EE9DF914771 C
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\local\temp\msi51c6.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\users\admin\appdata\local\temp\msi5235.tmp
c:\users\admin\appdata\local\temp\msi5245.tmp
c:\users\admin\appdata\local\temp\msi5275.tmp

PID
3128
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2292
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005C4" "000005C8"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3664
CMD
C:\Windows\system32\MsiExec.exe -Embedding 0E9FDDF4D0AD46B7593305EC9615A7C0
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msia555.tmp
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\jscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

Registry activity

Total events
759
Read events
567
Write events
186
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
2944
msiexec.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2944
msiexec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\EAB040689A0D805B5D6FD654FC168CFF00B78BE3
Blob
030000000100000014000000EAB040689A0D805B5D6FD654FC168CFF00B78BE31400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB040000000100000010000000DB78CBD190952735D940BC80AC2432C00F0000000100000030000000435FE6564241D6B3828352EF9BE443D511C21F0AFB325C4038A5820F00D87774A8EF2193DDAAE065B2572FAF2BF0EE63190000000100000010000000EA6089055218053DD01E37E1D806EEDF18000000010000001000000045ED9BBC5E43D3B9ECD63C060DB78E5C20000000010000007B050000308205773082045FA003020102021013EA28705BF4ECED0C36630980614336300D06092A864886F70D01010C0500306F310B300906035504061302534531143012060355040A130B416464547275737420414231263024060355040B131D41646454727573742045787465726E616C20545450204E6574776F726B312230200603550403131941646454727573742045787465726E616C20434120526F6F74301E170D3030303533303130343833385A170D3230303533303130343833385A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A381F43081F1301F0603551D23041830168014ADBD987A34B426F7FAC42654EF03BDE024CB541A301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF30110603551D20040A300830060604551D200030440603551D1F043D303B3039A037A0358633687474703A2F2F63726C2E7573657274727573742E636F6D2F416464547275737445787465726E616C4341526F6F742E63726C303506082B0601050507010104293027302506082B060105050730018619687474703A2F2F6F6373702E7573657274727573742E636F6D300D06092A864886F70D01010C050003820101009365F63783950F5EC3821C1FD677E73C8AC0AA09F0E90B26F1E0C26A75A1C779C9B95260C829120EF0AD03D609C476DFE5A68195A746DA8257A99592C5B68F03226C3377C17B32176E07CE5A14413A05241BF614063BA825240EBBCC2A75DDB970413F7CD0633621071F46FF60A491E167BCDE1F7E1914C9636791EA67076BB48F8BC06E437DC3A1806CB21EBC53857DDC90A1A4BC2DEF4672573505BFBB46BB6E6D3799B6FF239291C66E40F88F2956EA5FD55F1453ACF04F61EAF722CCA7560BE2B8341F26D97B1905683FBA3CD43806A2D3E68F0EE3B4716D4042C584B440952BF465A04879F61D8163969D4F75E0F87CE48EA9D1F2AD8AB38CC721CDC2EF
2936
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
2936
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
2936
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2936
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2936
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2936
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000EE304C6BD87ED501780B0000680B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000048934E6BD87ED501780B0000680B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
40000000000000004ACAA66BD87ED501780B0000680B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000A42CA96BD87ED501780B0000100A0000E80300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
400000000000000018D3926CD87ED501780B0000100A0000E80300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
400000000000000068300372D87ED501780B0000680B0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
400000000000000068300372D87ED501780B0000680B0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
4000000000000000DEE01372D87ED501780B0000680B0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000AEF32672D87ED501780B0000A0080000E90300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
400000000000000040F24572D87ED501780B0000A0080000E90300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
40000000000000009A544872D87ED501780B0000B0080000F90300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000A87B4F72D87ED501780B0000B0080000F90300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000B6A25672D87ED501780B0000680B00000A0400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
400000000000000076843B73D87ED501780B0000D80800000A0400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
400000000000000076843B73D87ED501780B0000680B0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000076843B73D87ED501780B0000680B0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
EE304C6BD87ED501
2936
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2936
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
780B0000DADDA866D87ED501
2936
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
415CA9A85E710A2EAC32F01BA4CE805FFB195751A47DA149E02B962263E803B1
2936
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\11a343.ipi
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\11a344.rbs
30768864
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\11a344.rbsLow
3910258256
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\5525B5968027A5146A0475DF71F07FBE
4FFEF0CFBA99245448334E59F4C84EFF
C:\Users\Public\
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\0BE2A867FC6FCF74DA114CF8E98EB007
4FFEF0CFBA99245448334E59F4C84EFF
C:\Users\admin\AppData\Roaming\SCUFhHngaDCD4NEL15\SCUFhHngaDCD4NEL15\
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\SCUFhHngaDCD4NEL15\SCUFhHngaDCD4NEL15\
1
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\SCUFhHngaDCD4NEL15\
1
2936
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000000CB6B26BD87ED501380C0000C40A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000006618B56BD87ED501380C0000740E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000006618B56BD87ED501380C00006C0E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
40000000000000006618B56BD87ED501380C0000E4050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000743FBC6BD87ED501380C0000E4050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000743FBC6BD87ED501380C0000C40A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000002804C16BD87ED501380C0000740E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000908DCA6BD87ED501380C00006C0E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000AEF32672D87ED501380C00006C0E0000010400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000AEF32672D87ED501380C00006C0E0000010400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000167D3072D87ED501380C00006C0E0000E90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000167D3072D87ED501380C0000740E0000E90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000167D3072D87ED501380C0000C40A0000E90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000CA413572D87ED501380C0000740E0000E90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000CA413572D87ED501380C0000740E0000010000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000CA413572D87ED501380C00006C0E0000E90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000CA413572D87ED501380C00006C0E0000010000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000CA413572D87ED501380C0000C40A0000E90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000CA413572D87ED501380C0000C40A0000010000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000A87B4F72D87ED501380C00006C0E0000F90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000A87B4F72D87ED501380C0000C40A0000F90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000A87B4F72D87ED501380C0000740E0000F90300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000A87B4F72D87ED501380C0000C40A0000F90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000A87B4F72D87ED501380C0000740E0000F90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000A87B4F72D87ED501380C00006C0E0000F90300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000B6A25672D87ED501380C0000D4080000020400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000D427BD72D87ED501380C0000D4080000020400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000D427BD72D87ED501380C0000D4080000EA0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000E24EC472D87ED501380C0000CC070000EA0300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000E24EC472D87ED501380C0000BC030000EA0300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000E24EC472D87ED501380C00009C050000EA0300000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000B261D772D87ED501380C00009C050000EA0300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000B261D772D87ED501380C00009C050000020000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
40000000000000006626DC72D87ED501380C0000BC030000EA0300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000006626DC72D87ED501380C0000BC030000020000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000006626DC72D87ED501380C0000CC070000EA0300000000000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000006626DC72D87ED501380C0000CC070000020000000100000001000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000C8370E73D87ED501380C0000D4080000EA0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000C8370E73D87ED501380C0000D4080000EB0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000C8370E73D87ED501380C0000D4080000EC0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000007CFC1273D87ED501380C0000CC070000EB0300000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000007CFC1273D87ED501380C0000CC070000EB0300000000000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000007CFC1273D87ED501380C0000CC070000030000000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000007CFC1273D87ED501380C000050090000FC0300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
40000000000000007CFC1273D87ED501380C0000D4080000EC0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
40000000000000007CFC1273D87ED501380C0000D4080000ED0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000D65E1573D87ED501380C0000D4080000ED0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000D65E1573D87ED501380C0000D4080000EE0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
40000000000000008A231A73D87ED501380C00009C050000EB0300000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
40000000000000008A231A73D87ED501380C00009C050000EB0300000000000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000008A231A73D87ED501380C00009C050000030000000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000008A231A73D87ED501380C00005C090000FC0300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000003EE81E73D87ED501380C0000D4080000EE0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000003EE81E73D87ED501380C0000D4080000F00300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000003EE81E73D87ED501380C0000D4080000F00300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000003EE81E73D87ED501380C0000D4080000EF0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000984A2173D87ED501380C0000CC070000EB0300000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
40000000000000005A362D73D87ED501380C0000CC070000EB0300000000000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000005A362D73D87ED501380C0000CC070000030000000100000002000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000005A362D73D87ED501380C0000280B0000FC0300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
40000000000000005A362D73D87ED501380C0000D4080000EF0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
40000000000000005A362D73D87ED501380C0000D4080000EB0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
40000000000000005A362D73D87ED501380C0000D4080000030400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
40000000000000005A362D73D87ED501380C0000D4080000030400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
40000000000000005A362D73D87ED501380C0000D4080000FD0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
40000000000000005A362D73D87ED501380C0000380B0000FD0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
4000000000000000685D3473D87ED501380C0000380B0000FD0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
4000000000000000685D3473D87ED501380C0000D4080000FD0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000685D3473D87ED501380C0000380B0000FE0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000001C223973D87ED501380C0000380B0000FE0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000001C223973D87ED501380C0000380B0000FF0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000001C223973D87ED501380C0000380B0000FF0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000685D3473D87ED501380C0000D4080000FE0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000001C223973D87ED501380C0000D4080000FE0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000001C223973D87ED501380C0000D4080000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000001C223973D87ED501380C0000D4080000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000001C223973D87ED501380C0000340B0000040400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000001C223973D87ED501380C0000340B0000040400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000001C223973D87ED501380C0000D4080000050400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
400000000000000076843B73D87ED501380C0000D4080000050400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000076843B73D87ED501380C0000D4080000F40300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
400000000000000076843B73D87ED501380C0000D4080000F40300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
400000000000000076843B73D87ED501380C0000D4080000F20300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
400000000000000084AB4273D87ED501380C0000BC030000F20300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
400000000000000084AB4273D87ED501380C0000CC070000F20300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000084AB4273D87ED501380C0000280B0000FC0300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000084AB4273D87ED501380C000050090000FC0300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
400000000000000084AB4273D87ED501380C00002C010000F20300000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
400000000000000084AB4273D87ED501380C0000BC030000F20300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
400000000000000084AB4273D87ED501380C0000CC070000F20300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000084AB4273D87ED501380C00005C090000FC0300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000084AB4273D87ED501380C0000BC030000040000000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000084AB4273D87ED501380C0000CC070000040000000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
400000000000000084AB4273D87ED501380C00002C010000F20300000000000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000084AB4273D87ED501380C00002C010000040000000100000003000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
400000000000000084AB4273D87ED501380C0000D4080000F20300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
400000000000000084AB4273D87ED501380C0000D4080000060400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000A8A88073D87ED501380C0000D4080000060400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000A8A88073D87ED501380C0000D4080000F50300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
40000000000000001E599173D87ED501380C00009C050000F50300000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
40000000000000001E599173D87ED501380C0000B4070000F50300000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
40000000000000001E599173D87ED501380C00002C010000F50300000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000001E599173D87ED501380C0000B4070000F50300000000000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000001E599173D87ED501380C0000B4070000050000000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000001E599173D87ED501380C00002C010000F50300000000000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000001E599173D87ED501380C00002C010000050000000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000C8643F74D87ED501380C00009C050000F50300000000000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000C8643F74D87ED501380C00009C050000050000000100000004000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000C8643F74D87ED501380C0000D4080000F50300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000C8643F74D87ED501380C0000D4080000070400000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000A69E5974D87ED501380C0000D4080000070400000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000001C4F6A74D87ED501380C0000D4080000FB0300000100000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
400000000000000076B16C74D87ED501380C0000B4070000FB0300000100000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
400000000000000076B16C74D87ED501380C00009C050000FB0300000100000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
400000000000000076B16C74D87ED501380C0000CC070000FB0300000100000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
400000000000000076B16C74D87ED501380C00009C050000FB0300000000000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
400000000000000076B16C74D87ED501380C0000CC070000FB0300000000000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
400000000000000076B16C74D87ED501380C0000B4070000FB0300000000000005000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
3128
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
400000000000000076B16C74D87ED501380C0000D4080000FB0300000000000000000000000000006D6332237327AA4C98794F8D3B88D7E30000000000000000
2292
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
6
Text files
30
Unknown types
2

Dropped files

PID
Process
Filename
Type
2936
msiexec.exe
C:\Windows\Installer\MSIA555.tmp
executable
MD5: a3b4d222a755f43b34a0963f13f77500
SHA256: 9692a12baf2113db4921678f3cf8746933d26d05141748fe09dcef11e5d94f54
2936
msiexec.exe
C:\Windows\Installer\11a342.msi
executable
MD5: f9654ad045c8b0be904d68a0d81510ab
SHA256: 0b7c0103eb9c3839c667720ce469318e9a2809186ae6c1dd1a65a3916935b15c
2292
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 7a8772e0ceaa13eda930d76018f19881
SHA256: 913e21f17327c20862a402aec464c77f96fc6ae8aff9bca3d94247961a168cf5
2936
msiexec.exe
C:\Windows\Installer\MSIA75A.tmp
––
MD5:  ––
SHA256:  ––
3664
MsiExec.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\52HHkH3c.lnk
lnk
MD5: 02440aee43ba1dcf38c21624703938b2
SHA256: d77ee99aa1e7d3415665866d8b4912ab63df9666c3ea191eff9025c5f4fbf39a
3128
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
2936
msiexec.exe
C:\Windows\Installer\11a343.ipi
binary
MD5: 32a67d28941f3b3ae5cedfabfa0eba8b
SHA256: 84ea40ecde74189eb235d092e5614a1bc47a3e26f2047ea1b4245fc5c78b61d7
2936
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF03AB6CE517DBFCA4.TMP
––
MD5:  ––
SHA256:  ––
2936
msiexec.exe
C:\Windows\Installer\11a343.ipi
––
MD5:  ––
SHA256:  ––
2936
msiexec.exe
C:\Config.Msi\11a344.rbs
––
MD5:  ––
SHA256:  ––
2292
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 25663bfee49d8a129d9987533c1b7a3d
SHA256: b1720dbd6f0e0adbdbf376ed95f211f6da8d9c560fecd83ada388ec917f4eb33
2944
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD
der
MD5: db78cbd190952735d940bc80ac2432c0
SHA256: 1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5
2292
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
2292
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 8de693b7b9432ed2d31eb8d4b0b81f76
SHA256: c0cf088f243cf52797233f78015770cf6a5bdc8caced1d063a5e59bfd6e562fd
2936
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2936
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{2332636d-2773-4caa-9879-4f8d3b88d7e3}_OnDiskSnapshotProp
binary
MD5: ea870fc657216a1d304b637f3fdf0114
SHA256: dce9089a7306de39b1418532f511b8dd32f141e7ee645a805cf01765c6e8f2da
2936
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: ea870fc657216a1d304b637f3fdf0114
SHA256: dce9089a7306de39b1418532f511b8dd32f141e7ee645a805cf01765c6e8f2da
2944
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI5275.tmp
––
MD5:  ––
SHA256:  ––
2944
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI5245.tmp
––
MD5:  ––
SHA256:  ––
2944
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI5235.tmp
––
MD5:  ––
SHA256:  ––
2944
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI51C6.tmp
––
MD5:  ––
SHA256:  ––
2944
msiexec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD
binary
MD5: 70fc8a5309adfaf3bfc3f89a47acc099
SHA256: c83bbdb94f5ef8a4f7a523dcf7d1581c4915643d747ce05a1a7412955fd2402f
2936
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF2FC3A6BCE4F72A09.TMP
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2944 msiexec.exe GET 200 91.199.212.52:80 http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt GB
der
whitelisted
3664 MsiExec.exe GET –– 69.42.49.155:80 http://www.leonloard.com/LLCP/wawst4ts1.zip US
––
––
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2944 msiexec.exe 91.199.212.52:80 Comodo CA Ltd GB unknown
3664 MsiExec.exe 69.42.49.155:80 DataBank Holdings, Ltd. US unknown

DNS requests

Domain IP Reputation
crt.usertrust.com 91.199.212.52
whitelisted
www.leonloard.com 69.42.49.155
unknown

Threats

No threats detected.

Debug output strings

No debug info.