General Info

File name

build_outputc02d30f.msi

Full analysis
https://app.any.run/tasks/f73d4cbe-19a2-424d-89d6-33a8c79fba4e
Verdict
Malicious activity
Analysis date
9/11/2019, 08:38:21
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

exe-to-msi

trojan

rat

azorult

stealer

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5

db5f6988148028adaff892d2c590da05

SHA1

58aa1875a397a00dbc51bd35755762344c3011a2

SHA256

527b39b91fbd21663726bb81370a2075d5a07764f471b86222fc9204e3ea71d1

SSDEEP

12288:qEI6rXhskVwFg0sS53zSg13Ey5BDDiKy9QXr16k:qEhhskV6gg3H13BDGSp6k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Connects to CnC server
  • MSID5A6.tmp (PID: 2352)
Stealing of credential data
  • MSID5A6.tmp (PID: 2352)
Actions looks like stealing of personal data
  • MSID5A6.tmp (PID: 2352)
AZORULT was detected
  • MSID5A6.tmp (PID: 2352)
Reads the cookies of Google Chrome
  • MSID5A6.tmp (PID: 2352)
Reads the cookies of Mozilla Firefox
  • MSID5A6.tmp (PID: 2352)
Executed via COM
  • DrvInst.exe (PID: 2580)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2972)
Executed as Windows Service
  • vssvc.exe (PID: 2076)
Drop ExeToMSI Application
  • msiexec.exe (PID: 2972)
Application was dropped or rewritten from another process
  • MSID5A6.tmp (PID: 2352)
  • MSID5A6.tmp (PID: 3324)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 2076)
Searches for installed software
  • msiexec.exe (PID: 2972)
Starts application with an unusual extension
  • msiexec.exe (PID: 2972)
  • MSID5A6.tmp (PID: 3324)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
CodePage:
Windows Latin 1 (Western European)
LastPrinted:
2012:09:21 09:56:09
CreateDate:
2012:09:21 09:56:09
Software:
Windows Installer
Title:
Exe to msi converter free
Subject:
null
Author:
www.exetomsi.com
Keywords:
null
Comments:
null
Template:
;0
LastModifiedBy:
devuser
RevisionNumber:
{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate:
2013:05:21 11:56:44
Pages:
100
Words:
null
Security:
None

Screenshots

Processes

Total processes
39
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msid5a6.tmp no specs #AZORULT msid5a6.tmp
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3540
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\build_outputc02d30f.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
2972
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\installer\msid5a6.tmp
c:\windows\system32\devrtl.dll

PID
2076
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
2580
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005B8" "000002D4"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3324
CMD
"C:\Windows\Installer\MSID5A6.tmp"
Path
C:\Windows\Installer\MSID5A6.tmp
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
stellAR
Description
BIP_1
Version
1.00
Modules
Image
c:\windows\installer\msid5a6.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\apphelp.dll

PID
2352
CMD
"C:\Windows\Installer\MSID5A6.tmp"
Path
C:\Windows\Installer\MSID5A6.tmp
Indicators
Parent process
MSID5A6.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
stellAR
Description
BIP_1
Version
1.00
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\installer\msid5a6.tmp
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll

Registry activity

Total events
474
Read events
306
Write events
162
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
2972
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
2972
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72
2972
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2972
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2972
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2972
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000E61C858B6B68D5019C0B00006C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
4000000000000000407F878B6B68D5019C0B00006C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000AA3FE98B6B68D5019C0B00006C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000AA3FE98B6B68D5019C0B000068090000E8030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000004ED3BF8C6B68D5019C0B000068090000E8030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000AE8E8F926B68D5019C0B00006C0A0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000AE8E8F926B68D5019C0B00006C0A0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000007EA1A2926B68D5019C0B00006C0A0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000A816B8926B68D5019C0B000080090000E9030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000E0B2D4926B68D5019C0B000080090000E9030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
40000000000000003A15D7926B68D5019C0B000098090000F9030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000A29EE0926B68D5019C0B000098090000F9030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000005663E5926B68D5019C0B00006C0A00000A040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000E657DD936B68D5019C0B0000B40900000A040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
4000000000000000E657DD936B68D5019C0B00006C0A0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000E657DD936B68D5019C0B00006C0A0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
E61C858B6B68D501
2972
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
9C0B0000D0464E8B6B68D501
2972
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
09885B12073C1BBA10E242F7424F2D7A192A31204980D9A749A88614E7FB4293
2972
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\16cfda.ipi
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16cfdb.rbs
30763123
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16cfdb.rbsLow
4135704592
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\858132C493B23D11E8D0000CF486730D
7137FE921ACD9514792B8C38DA04A06C
2972
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000C68DF78B6B68D5011C080000A00D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000C68DF78B6B68D5011C080000EC090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000C68DF78B6B68D5011C0800009C0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000C68DF78B6B68D5011C080000E8090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
40000000000000007A52FC8B6B68D5011C080000EC090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000007A52FC8B6B68D5011C080000A00D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000002E17018C6B68D5011C0800009C0D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000E2DB058C6B68D5011C080000E8090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000004EB4B5926B68D5011C080000E809000001040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000004EB4B5926B68D5011C080000E809000001040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
400000000000000010A0C1926B68D5011C080000A00D0000E9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
400000000000000010A0C1926B68D5011C080000E8090000E9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
400000000000000010A0C1926B68D5011C0800009C0D0000E9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
40000000000000006A02C4926B68D5011C080000E8090000E9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000006A02C4926B68D5011C080000E809000001000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000006A02C4926B68D5011C0800009C0D0000E9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000006A02C4926B68D5011C0800009C0D000001000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
40000000000000006A02C4926B68D5011C080000A00D0000E9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000006A02C4926B68D5011C080000A00D000001000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000A29EE0926B68D5011C080000A00D0000F9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000A29EE0926B68D5011C0800009C0D0000F9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000A29EE0926B68D5011C080000E8090000F9030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000A29EE0926B68D5011C080000A00D0000F9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000A29EE0926B68D5011C0800009C0D0000F9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000A29EE0926B68D5011C080000E8090000F9030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000005663E5926B68D5011C080000AC09000002040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000090365A936B68D5011C080000AC09000002040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000EA985C936B68D5011C080000AC090000EA030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000522266936B68D5011C080000E4080000EA030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000522266936B68D5011C080000D8080000EA030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000522266936B68D5011C080000CC080000EA030000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000D6F97D936B68D5011C080000E4080000EA030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000D6F97D936B68D5011C080000E408000002000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000305C80936B68D5011C080000CC080000EA030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000305C80936B68D5011C080000CC08000002000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000305C80936B68D5011C080000D8080000EA030000000000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000305C80936B68D5011C080000D808000002000000010000000100000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000DEA8AD936B68D5011C080000AC090000EA030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000DEA8AD936B68D5011C080000AC090000EB030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000DEA8AD936B68D5011C080000AC090000EC030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000926DB2936B68D5011C080000D8080000EB030000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000926DB2936B68D5011C080000D8080000EB030000000000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000926DB2936B68D5011C080000D808000003000000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000926DB2936B68D5011C080000200A0000FC030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000926DB2936B68D5011C080000AC090000EC030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000926DB2936B68D5011C080000AC090000ED030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
40000000000000004632B7936B68D5011C080000AC090000ED030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
40000000000000004632B7936B68D5011C080000AC090000EE030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000A094B9936B68D5011C080000DC080000EB030000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000FAF6BB936B68D5011C080000DC080000EB030000000000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000FAF6BB936B68D5011C080000DC08000003000000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000FAF6BB936B68D5011C080000480A0000FC030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000AEBBC0936B68D5011C080000AC090000EE030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000AEBBC0936B68D5011C080000AC090000F0030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000AEBBC0936B68D5011C080000AC090000F0030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000AEBBC0936B68D5011C080000AC090000EF030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000006280C5936B68D5011C080000DC080000EB030000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000070A7CC936B68D5011C080000DC080000EB030000000000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000070A7CC936B68D5011C080000DC08000003000000010000000200000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000070A7CC936B68D5011C080000800B0000FC030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
400000000000000070A7CC936B68D5011C080000AC090000EF030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
400000000000000070A7CC936B68D5011C080000AC090000EB030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
400000000000000070A7CC936B68D5011C080000AC09000003040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
400000000000000070A7CC936B68D5011C080000AC09000003040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
400000000000000070A7CC936B68D5011C080000AC090000FD030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
400000000000000070A7CC936B68D5011C0800006C0B0000FD030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
4000000000000000D830D6936B68D5011C0800006C0B0000FD030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
4000000000000000D830D6936B68D5011C080000AC090000FD030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000D830D6936B68D5011C0800006C0B0000FE030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000008CF5DA936B68D5011C0800006C0B0000FE030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000008CF5DA936B68D5011C0800006C0B0000FF030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000008CF5DA936B68D5011C0800006C0B0000FF030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000D830D6936B68D5011C080000AC090000FE030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000008CF5DA936B68D5011C080000AC090000FE030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000008CF5DA936B68D5011C080000AC090000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000008CF5DA936B68D5011C080000AC090000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000008CF5DA936B68D5011C080000700B000004040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000008CF5DA936B68D5011C080000700B000004040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000008CF5DA936B68D5011C080000AC09000005040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000E657DD936B68D5011C080000AC09000005040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000E657DD936B68D5011C080000AC090000F4030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000E657DD936B68D5011C080000AC090000F4030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000E657DD936B68D5011C080000AC090000F2030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000F47EE4936B68D5011C080000CC080000F2030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000F47EE4936B68D5011C080000DC080000F2030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000F47EE4936B68D5011C080000480A0000FC030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000F47EE4936B68D5011C080000200A0000FC030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000F47EE4936B68D5011C080000DC080000F2030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000F47EE4936B68D5011C080000DC08000004000000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000F47EE4936B68D5011C080000CC080000F2030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000F47EE4936B68D5011C080000CC08000004000000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000F47EE4936B68D5011C080000D4080000F2030000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000F47EE4936B68D5011C080000800B0000FC030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000F47EE4936B68D5011C080000D4080000F2030000000000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000F47EE4936B68D5011C080000D408000004000000010000000300000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000F47EE4936B68D5011C080000AC090000F2030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000F47EE4936B68D5011C080000AC09000006040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000B0F218946B68D5011C080000AC09000006040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000B0F218946B68D5011C080000AC090000F5030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000CC4027946B68D5011C080000D4080000F5030000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000CC4027946B68D5011C080000CC080000F5030000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000CC4027946B68D5011C080000C8080000F5030000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
400000000000000026A329946B68D5011C080000C8080000F5030000000000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000026A329946B68D5011C080000C808000005000000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
400000000000000026A329946B68D5011C080000CC080000F5030000000000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000026A329946B68D5011C080000CC08000005000000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000929AE3946B68D5011C080000D4080000F5030000000000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000929AE3946B68D5011C080000D408000005000000010000000400000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000929AE3946B68D5011C080000AC090000F5030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000929AE3946B68D5011C080000AC09000007040000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000008C220C956B68D5011C080000AC09000007040000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
400000000000000002D31C956B68D5011C080000AC090000FB030000010000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
4000000000000000D2E52F956B68D5011C080000D4080000FB030000010000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
4000000000000000D2E52F956B68D5011C080000CC080000FB030000010000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
4000000000000000D2E52F956B68D5011C080000DC080000FB030000010000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
4000000000000000D2E52F956B68D5011C080000D4080000FB030000000000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
4000000000000000D2E52F956B68D5011C080000CC080000FB030000000000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
4000000000000000D2E52F956B68D5011C080000DC080000FB030000000000000500000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2076
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000D2E52F956B68D5011C080000AC090000FB030000000000000000000000000000C93BD7DEDCCEB34B8990421982D726870000000000000000
2580
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
8
Text files
37
Unknown types
5

Dropped files

PID
Process
Filename
Type
2972
msiexec.exe
C:\Windows\Installer\MSID5A6.tmp
executable
MD5: ebe6a6f128ae0f9a124bbe9090baf755
SHA256: eab34d308622c57695ad1141bc26ed6ed814e5a90ca93767b48bfe78c74e28d9
2972
msiexec.exe
C:\Windows\Installer\16cfd8.msi
executable
MD5: db5f6988148028adaff892d2c590da05
SHA256: 527b39b91fbd21663726bb81370a2075d5a07764f471b86222fc9204e3ea71d1
2972
msiexec.exe
C:\Config.Msi\16cfdb.rbs
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F7147778271438403311592252104506.zip
compressed
MD5: df86ade4d1a9adef9b76bf26fa6051b0
SHA256: b73f09cd61c466662519833b4733817985d7d9aec41b115e2d189faf51d59f1f
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\15029539454759346736327.tempcbss
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\BROWSERS\AUTOCOMPLETE\MozillaFirefox_qldyz51w.default.txt
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\15029378474365565655144.tempcbss
sqlite
MD5: 7c426e0fc19063a433349ce713da84a0
SHA256: 9925b2d80f8a85132ef4927979b25e0b9525e8317a71ffd844980b794b04234c
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\BROWSERS\AUTOCOMPLETE\Google_Chrome_Default.txt
text
MD5: 678685666d3faafd8cfdbdb0cd997122
SHA256: dd730415e2853666046266477ee09bf65d67c6567d298eef319c114e18ccb6d8
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\1502937622065956859897.tempcbss
sqlite
MD5: e812b5aaa4ab657d430a930438dd0e7c
SHA256: 153a35f475f8b6ab4ae389da8be3ab7557250c46ce410c8d2c884c8ab418808f
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\BROWSERS\COOKIES\MozillaFirefox_qldyz51w.default.txt
text
MD5: 87cc984576777ce52103c94663aba355
SHA256: 6b7cfdc32a9fbeb8a2fe9d310bd64bdc831868140e225886e14823de3be5cfa3
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\15029378474365565655144.tempcbss-shm
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\15029212569577712828542.tempcbss
sqlite
MD5: dd9640af5f03807cf2e3921cba16af0d
SHA256: ecf72c454fef08c5948a565464839a554567e499f995483d6c8b54b32ea2c5f0
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\BROWSERS\COOKIES\Google_Chrome_Default.txt
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\Passwords.txt
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\1502890455498357842250.tmp
sqlite
MD5: acfe428573bc93a1c2d167fa95961bb0
SHA256: beb40a8a26a3a77b8542de111f274c42b9095c5152322de1ea4e112308441338
2972
msiexec.exe
C:\Windows\Installer\16cfda.ipi
binary
MD5: 30fa51ddfa0b6b9e359e021d5f4d0b04
SHA256: 3f356334f9d617d4025dbb525e75b073356796305a1e7727c8e13e13a8d0235c
2972
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFF9B62950392B6C15.TMP
––
MD5:  ––
SHA256:  ––
2972
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: ad636c0d5b87151e1b524cb2fed9a905
SHA256: 8d0d6b1fae94e5afeb06478a5a34b2c3bb553413f538acd8802b1f77b5f1de3e
2076
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
3324
MSID5A6.tmp
C:\Windows\win.ini
text
MD5: d2a2412bddba16d60ec63bd9550d933f
SHA256: 79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\Process.txt
text
MD5: 79ea72d0a208d50ce6b943741598bd3d
SHA256: 572d0d0fae0e0894e9b8e6a80e3df65ce01f3157fdca6287e88a612be0449323
2972
msiexec.exe
C:\Windows\Installer\MSID4AA.tmp
binary
MD5: 6ad9fbbcc735309f859cfbe9a2327a78
SHA256: 36615008f08a6aa648f08f784cdbda8984fbd616f32c8706fc845097f06b181e
2972
msiexec.exe
C:\Windows\Installer\16cfda.ipi
binary
MD5: 058d0f29f784ba8ee271bb914c909f58
SHA256: 22cef0b95b2c67a07580e4ce36fcb7f301c0787f66f0b833cb07573f669425e1
2972
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF7FB2881E19EE89F4.TMP
––
MD5:  ––
SHA256:  ––
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\Info.txt
text
MD5: 03f01a07480ed0b76242311ee169deb7
SHA256: ad3f3efe9615aae43c520e963a3bb2f5ea6ee2c63dd29dbc3bf1178897b603be
2580
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 7ebdd76e6d1deda445ebaacc5a42bce2
SHA256: 3340c17845ca36d64bbcde63c26efae22b885cf16aa91eedd851fb0ff6fb0adf
2580
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: eae92a91fb862a0c81cb10e6caeee6c0
SHA256: 04ccb1b05104806bc56703fef13b7c1c129c36ef744703a6936a1c4a69240c8e
2580
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 7f6fde453930fc01cbf5e9ea02d3a9b6
SHA256: 3c6577c7270f507fd4f65b8567e9924520dabb4a8ae1bb6bdb24830adf2325c8
2580
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 0c4d78c30499174ae26f10ebd446bddb
SHA256: cb66e5421b7f047b46a998f7cade5a7779bf013f16132558cf07a5bbc0e62350
2580
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
2972
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2972
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{ded73bc9-cedc-4bb3-8990-421982d72687}_OnDiskSnapshotProp
binary
MD5: ad636c0d5b87151e1b524cb2fed9a905
SHA256: 8d0d6b1fae94e5afeb06478a5a34b2c3bb553413f538acd8802b1f77b5f1de3e
2352
MSID5A6.tmp
C:\Users\admin\AppData\Local\Temp\2C2BAE5-D2E8D272-5D306FD2-737B9687F_7147778271438403\Programms.txt
text
MD5: 81dd76b403e951b395b4dbb6ced6c4ba
SHA256: 3be9c5affcf4be44e3cf977d933d91128e534685415f3d159b2ece14ca4b9705

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
7

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2352 MSID5A6.tmp POST 200 162.244.92.133:80 http://gbttm.com/gate.php US
text
text
malicious
2352 MSID5A6.tmp POST 200 162.244.92.133:80 http://gbttm.com/gate.php US
binary
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2352 MSID5A6.tmp 162.244.92.133:80 FranTech Solutions US malicious

DNS requests

Domain IP Reputation
gbttm.com 162.244.92.133
malicious

Threats

PID Process Class Message
2352 MSID5A6.tmp A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers
2352 MSID5A6.tmp A Network Trojan was detected REMOTE [PTsecurity] AZORULT
2352 MSID5A6.tmp A Network Trojan was detected MALWARE [PTsecurity] AZORult stealer CnC Response (for any 3byte XOR key)
2352 MSID5A6.tmp A Network Trojan was detected REMOTE [PTsecurity] AZORULT
2352 MSID5A6.tmp A Network Trojan was detected ET TROJAN Trojan Generic - POST To gate.php with no accept headers

2 ETPRO signatures available at the full report

Debug output strings

No debug info.