General Info

File name

Sii0909098761234114.msi

Full analysis
https://app.any.run/tasks/2e3bf6b5-3a6b-4c2f-8d7f-f1ef93f990a3
Verdict
Malicious activity
Analysis date
8/13/2019, 21:11:00
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {EF039855-95DA-4F53-B8CB-552320887DD9}, Number of Words: 10, Subject: Archivo, Author: Principal, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1027, Comments: La base de dades del installador cont la lgica i les dades necessries per installar Archivo.
MD5

69bf9fab7277a08db19e049e4b16695d

SHA1

1127d9025de9e42f11e3fa31c157e9e3af78d11d

SHA256

75e4c68705063e0cead0028b63d02fecfc91301a776d24e3e58e858063d79302

SSDEEP

196608:jE3msQOTE4GyNB0Fa3mVUr8Ejl4OPbYsZJK7eoc:g3m4TEyNB0gI+9jYwWX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 628)
  • QVTA5974HI2IH.exe (PID: 2628)
Application was dropped or rewritten from another process
  • QVTA5974HI2IH.exe (PID: 2628)
Changes the autorun value in the registry
  • QVTA5974HI2IH.exe (PID: 2628)
Executed as Windows Service
  • vssvc.exe (PID: 1296)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 3632)
Executed via COM
  • DrvInst.exe (PID: 1324)
Disables Form Suggestion in IE
  • QVTA5974HI2IH.exe (PID: 2628)
Application launched itself
  • msiexec.exe (PID: 3632)
Searches for installed software
  • msiexec.exe (PID: 3632)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 1296)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
Title:
Installation Database
Keywords:
Installer, MSI, Database
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Pages:
200
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{EF039855-95DA-4F53-B8CB-552320887DD9}
Words:
10
Subject:
Archivo
Author:
Principal
LastModifiedBy:
null
Software:
Advanced Installer 12.2.1 build 64247
Template:
;1027
Comments:
La base de dades del instal·lador conté la lògica i les dades necessàries per instal·lar Archivo.

Screenshots

Processes

Total processes
40
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs qvta5974hi2ih.exe searchprotocolhost.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
628
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\users\admin\documents\qvta5974hi2ih.exe
c:\users\admin\documents\shfolder.dll

PID
2968
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Sii0909098761234114.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
3632
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\users\admin\documents\qvta5974hi2ih.exe

PID
1296
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
1324
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000064" "00000394"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
316
CMD
C:\Windows\system32\MsiExec.exe -Embedding 0018324347DB74C7528127155F5176C0
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msid92e.tmp
c:\windows\system32\comdlg32.dll
c:\windows\installer\msida38.tmp

PID
2628
CMD
"C:\Users\admin\Documents\QVTA5974HI2IH.exe"
Path
C:\Users\admin\Documents\QVTA5974HI2IH.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
VMware, Inc.
Description
VMware NAT Service
Version
12.5.6 build-5528349
Modules
Image
c:\users\admin\documents\qvta5974hi2ih.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\documents\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptbase.dll

Registry activity

Total events
512
Read events
337
Write events
169
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
40000000000000004CA3ACE40A52D501300E0000900C0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
40000000000000004CA3ACE40A52D501300E0000900C0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
40000000000000002ADDC6E40A52D501300E0000900C0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
40000000000000002ADDC6E40A52D501300E000034020000E8030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
4000000000000000269C47E50A52D501300E000034020000E8030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000107AD5E90A52D501300E0000900C0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000107AD5E90A52D501300E0000900C0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000002CC8E3E90A52D501300E0000900C0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000A278F4E90A52D501300E0000D00B0000E9030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000DA1411EA0A52D501300E0000D00B0000E9030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000DA1411EA0A52D501300E0000D00A0000F9030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000429E1AEA0A52D501300E0000D00A0000F9030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000F6621FEA0A52D501300E0000900C00000A040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000BCBCDBEA0A52D501300E0000E00A00000A040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
4000000000000000BCBCDBEA0A52D501300E0000900C0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000BCBCDBEA0A52D501300E0000900C0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
4CA3ACE40A52D501
3632
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
300E000006E088E40A52D501
3632
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
B6626F3018BC409354A0377075BFD8D26C8DC766F67DBFA0BBFC31AF3CCBC906
3632
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\37d816.ipi
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37d817.rbs
30757395
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37d817.rbsLow
1292436080
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\18BED8CA9F8E9EE4B8D3ED120D303F4E
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\admin\Documents\QVTA5974HI2IH.exe
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\A90C7D8BF6668A947B3FB4D7D949BA6F
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\admin\Documents\shfolder.dll
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\B2E138A0A5E0FAB419EB3670D769832C
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\Public\Documents\
3632
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
3632
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
3632
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
3632
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
3632
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3632
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
3632
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000005452DCE40A52D50110050000540F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000005452DCE40A52D50110050000E0050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000005452DCE40A52D50110050000B4090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
40000000000000005452DCE40A52D50110050000340E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
40000000000000000817E1E40A52D50110050000340E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
40000000000000000817E1E40A52D50110050000E0050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000006279E3E40A52D50110050000B4090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000163EE8E40A52D50110050000540F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000004816F2E90A52D50110050000540F000001040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000A278F4E90A52D50110050000540F000001040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000B09FFBE90A52D50110050000E0050000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000B09FFBE90A52D50110050000540F0000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000B09FFBE90A52D50110050000B4090000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
40000000000000000A02FEE90A52D50110050000B4090000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A02FEE90A52D50110050000B409000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
40000000000000000A02FEE90A52D50110050000540F0000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A02FEE90A52D50110050000540F000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000000A02FEE90A52D50110050000E0050000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000646400EA0A52D50110050000E005000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000429E1AEA0A52D50110050000E0050000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000429E1AEA0A52D50110050000B4090000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000429E1AEA0A52D50110050000540F0000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000429E1AEA0A52D50110050000E0050000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000429E1AEA0A52D50110050000B4090000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000429E1AEA0A52D50110050000540F0000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000F6621FEA0A52D501100500003805000002040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000052FC79EA0A52D501100500003805000002040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
400000000000000052FC79EA0A52D5011005000038050000EA030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000602381EA0A52D50110050000300C0000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000602381EA0A52D50110050000D80D0000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000602381EA0A52D50110050000380B0000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
40000000000000007C718FEA0A52D50110050000380B0000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000007C718FEA0A52D50110050000380B000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000007C718FEA0A52D50110050000300C0000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000007C718FEA0A52D50110050000300C000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000D6D391EA0A52D50110050000D80D0000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000D6D391EA0A52D50110050000D80D000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
40000000000000000E70AEEA0A52D5011005000038050000EA030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
40000000000000000E70AEEA0A52D5011005000038050000EB030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
40000000000000000E70AEEA0A52D5011005000038050000EC030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
400000000000000068D2B0EA0A52D50110050000300C0000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
400000000000000068D2B0EA0A52D50110050000300C0000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000068D2B0EA0A52D50110050000300C000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000068D2B0EA0A52D50110050000C0030000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000C234B3EA0A52D5011005000038050000EC030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000C234B3EA0A52D5011005000038050000ED030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
40000000000000001C97B5EA0A52D5011005000038050000ED030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
40000000000000001C97B5EA0A52D5011005000038050000EE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000D05BBAEA0A52D50110050000380B0000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000D05BBAEA0A52D50110050000380B0000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000D05BBAEA0A52D50110050000380B000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000D05BBAEA0A52D50110050000280E0000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000002ABEBCEA0A52D5011005000038050000EE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000002ABEBCEA0A52D5011005000038050000F0030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000002ABEBCEA0A52D5011005000038050000F0030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000002ABEBCEA0A52D5011005000038050000EF030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000DE82C1EA0A52D50110050000380B0000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
40000000000000009247C6EA0A52D50110050000380B0000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000009247C6EA0A52D50110050000380B000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000009247C6EA0A52D5011005000070060000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
40000000000000009247C6EA0A52D5011005000038050000EF030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
40000000000000009247C6EA0A52D5011005000038050000EB030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
40000000000000009247C6EA0A52D501100500003805000003040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
40000000000000009247C6EA0A52D501100500003805000003040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
40000000000000009247C6EA0A52D5011005000038050000FD030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
40000000000000009247C6EA0A52D5011005000088080000FD030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000005433D2EA0A52D5011005000088080000FD030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000005433D2EA0A52D5011005000038050000FD030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000005433D2EA0A52D5011005000088080000FE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000BCBCDBEA0A52D5011005000088080000FE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
4000000000000000BCBCDBEA0A52D5011005000088080000FF030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
4000000000000000BCBCDBEA0A52D5011005000088080000FF030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000005433D2EA0A52D5011005000038050000FE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000BCBCDBEA0A52D5011005000038050000FE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
4000000000000000BCBCDBEA0A52D5011005000038050000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
4000000000000000BCBCDBEA0A52D5011005000038050000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
4000000000000000BCBCDBEA0A52D50110050000A408000004040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
4000000000000000BCBCDBEA0A52D50110050000A408000004040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
4000000000000000BCBCDBEA0A52D501100500003805000005040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000BCBCDBEA0A52D501100500003805000005040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000BCBCDBEA0A52D5011005000038050000F4030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000BCBCDBEA0A52D5011005000038050000F4030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000BCBCDBEA0A52D5011005000038050000F2030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000CAE3E2EA0A52D5011005000078080000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000CAE3E2EA0A52D50110050000300C0000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000CAE3E2EA0A52D5011005000070060000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000CAE3E2EA0A52D50110050000C0030000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000CAE3E2EA0A52D5011005000024070000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000CAE3E2EA0A52D50110050000300C0000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000CAE3E2EA0A52D5011005000078080000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000CAE3E2EA0A52D50110050000280E0000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000CAE3E2EA0A52D50110050000300C000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000CAE3E2EA0A52D501100500007808000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000CAE3E2EA0A52D5011005000024070000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000CAE3E2EA0A52D501100500002407000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000CAE3E2EA0A52D5011005000038050000F2030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000CAE3E2EA0A52D501100500003805000006040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000783010EB0A52D501100500003805000006040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000783010EB0A52D5011005000038050000F5030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000EEE020EB0A52D50110050000B4060000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000EEE020EB0A52D5011005000024070000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000EEE020EB0A52D50110050000300C0000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000EEE020EB0A52D50110050000B4060000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000EEE020EB0A52D50110050000B406000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000EEE020EB0A52D50110050000300C0000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000EEE020EB0A52D50110050000300C000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000BAB2B4EB0A52D5011005000024070000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000BAB2B4EB0A52D501100500002407000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000BAB2B4EB0A52D5011005000038050000F5030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000BAB2B4EB0A52D501100500003805000007040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000003063C5EB0A52D501100500003805000007040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000A613D6EB0A52D5011005000038050000FB030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000000076D8EB0A52D5011005000078080000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000000076D8EB0A52D50110050000B4060000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000000076D8EB0A52D50110050000380B0000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000000076D8EB0A52D5011005000078080000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000000076D8EB0A52D50110050000B4060000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000000076D8EB0A52D50110050000380B0000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1296
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000000076D8EB0A52D5011005000038050000FB030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1324
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2628
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Use FormSuggest
No
2628
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FormSuggest Passwords
No
2628
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FormSuggest PW Ask
No
2628
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
AutoSuggest
No
2628
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Xtq9nJjJ
C:\Users\admin\Documents\QVTA5974HI2IH.exe

Files activity

Executable files
3
Suspicious files
4
Text files
60
Unknown types
0

Dropped files

PID
Process
Filename
Type
3632
msiexec.exe
C:\Users\admin\Documents\shfolder.dll
executable
MD5: f6734bb3c1eef27ad0460910d09f9519
SHA256: 45b1283156911317ea3ca0c454a062d946f9f961743846085c399d6ac8fa9c03
3632
msiexec.exe
C:\Windows\Installer\MSIDA38.tmp
executable
MD5: 9f1e5d66c2889018daef4aef604eebc4
SHA256: 02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
3632
msiexec.exe
C:\Users\admin\Documents\QVTA5974HI2IH.exe
executable
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
3632
msiexec.exe
C:\Windows\Installer\MSID92E.tmp
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\Config.Msi\37d817.rbs
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFAC98A46266340E33.TMP
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\Windows\Installer\MSIDA97.tmp
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF35911F8B6E7A68A3.TMP
––
MD5:  ––
SHA256:  ––
1296
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: 2cbc37c3d709318d84f3ec38606a109d
SHA256: ffc6964af2aa7a1510d41e24c1c4f7895924d99a34aba60311ffca4d8bb47b2b
3632
msiexec.exe
C:\Windows\Installer\37d814.msi
––
MD5:  ––
SHA256:  ––
1324
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 47d518815d875344ae879d3eafba981e
SHA256: 17b09958d4cb1fcfef5c8796cdabc4446034c754d5b697b420c8d5d16c4ec59e
1324
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: b93327c88ae218d4f923cdfeeabb82d8
SHA256: b0fbae1f1efc4aaa13e20a2a8fc2a52dfe29e715d2c8e164eea0bb19fb175c92
1324
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
1324
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 7b4d23200a6d0d8f85980cf442171338
SHA256: 8f9fade2a2ce1d30e6ea45231a1b055593faddf61c4b70751ea59319954d2e7c
3632
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
3632
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{7cabaccc-6009-46ff-b675-8f0060847594}_OnDiskSnapshotProp
binary
MD5: 2cbc37c3d709318d84f3ec38606a109d
SHA256: ffc6964af2aa7a1510d41e24c1c4f7895924d99a34aba60311ffca4d8bb47b2b
3632
msiexec.exe
C:\Windows\Installer\37d816.ipi
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

Process Message
QVTA5974HI2IH.exe CodeSet_Init: no ICU