General Info

File name

Sii0909098761234114.msi

Full analysis
https://app.any.run/tasks/ded5169b-90c4-4855-a5a4-d17817892d4f
Verdict
Malicious activity
Analysis date
8/13/2019, 21:08:50
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {EF039855-95DA-4F53-B8CB-552320887DD9}, Number of Words: 10, Subject: Archivo, Author: Principal, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1027, Comments: La base de dades del installador cont la lgica i les dades necessries per installar Archivo.
MD5

69bf9fab7277a08db19e049e4b16695d

SHA1

1127d9025de9e42f11e3fa31c157e9e3af78d11d

SHA256

75e4c68705063e0cead0028b63d02fecfc91301a776d24e3e58e858063d79302

SSDEEP

196608:jE3msQOTE4GyNB0Fa3mVUr8Ejl4OPbYsZJK7eoc:g3m4TEyNB0gI+9jYwWX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • QVTA5974HI2IH.exe (PID: 3688)
  • SearchProtocolHost.exe (PID: 1512)
Application was dropped or rewritten from another process
  • QVTA5974HI2IH.exe (PID: 3688)
Changes the autorun value in the registry
  • QVTA5974HI2IH.exe (PID: 3688)
Executed via COM
  • DrvInst.exe (PID: 3060)
Disables Form Suggestion in IE
  • QVTA5974HI2IH.exe (PID: 3688)
Executed as Windows Service
  • vssvc.exe (PID: 1484)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 3652)
Application launched itself
  • msiexec.exe (PID: 3652)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 1484)
Searches for installed software
  • msiexec.exe (PID: 3652)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
Title:
Installation Database
Keywords:
Installer, MSI, Database
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Pages:
200
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{EF039855-95DA-4F53-B8CB-552320887DD9}
Words:
10
Subject:
Archivo
Author:
Principal
LastModifiedBy:
null
Software:
Advanced Installer 12.2.1 build 64247
Template:
;1027
Comments:
La base de dades del instal·lador conté la lògica i les dades necessàries per instal·lar Archivo.

Screenshots

Processes

Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs qvta5974hi2ih.exe searchprotocolhost.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1512
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe13_ Global\UsGthrCtrlFltPipeMssGthrPipe13 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\users\admin\documents\qvta5974hi2ih.exe
c:\users\admin\documents\shfolder.dll

PID
2488
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Sii0909098761234114.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
3652
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\users\admin\documents\qvta5974hi2ih.exe

PID
1484
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3060
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005DC" "00000578"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3244
CMD
C:\Windows\system32\MsiExec.exe -Embedding DDF5F4FCDFA15EA091A33CA4A700E1C1
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi27df.tmp
c:\windows\system32\comdlg32.dll
c:\windows\installer\msi29a5.tmp

PID
3688
CMD
"C:\Users\admin\Documents\QVTA5974HI2IH.exe"
Path
C:\Users\admin\Documents\QVTA5974HI2IH.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
VMware, Inc.
Description
VMware NAT Service
Version
12.5.6 build-5528349
Modules
Image
c:\users\admin\documents\qvta5974hi2ih.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\documents\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
505
Read events
330
Write events
169
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
3652
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
3652
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
3652
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
3652
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
3652
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
3652
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000DA072C960A52D501440E000094060000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
4000000000000000DA072C960A52D501440E000094060000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
40000000000000007A2D52960A52D501440E000094060000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000D48F54960A52D501440E000030070000E8030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
40000000000000001612F9960A52D501440E000030070000E8030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
400000000000000068A6C19C0A52D501440E000094060000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
400000000000000068A6C19C0A52D501440E000094060000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
400000000000000038B9D49C0A52D501440E000094060000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000622EEA9C0A52D501440E0000F40F0000E9030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
40000000000000004E8F0B9D0A52D501440E0000F40F0000E9030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000A8F10D9D0A52D501440E0000BC090000F9030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000B618159D0A52D501440E0000BC090000F9030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000C43F1C9D0A52D501440E0000940600000A040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
400000000000000008F9189E0A52D501440E0000F40600000A040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
400000000000000008F9189E0A52D501440E000094060000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000008F9189E0A52D501440E000094060000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
DA072C960A52D501
3652
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
440E00002CBBFE950A52D501
3652
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
4499EEC7E45CBB14DB38058A49492DE501B04EADAB5762ACEC40B31D27914948
3652
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\37263b.ipi
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37263c.rbs
30757395
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\37263c.rbsLow
9136080
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\18BED8CA9F8E9EE4B8D3ED120D303F4E
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\admin\Documents\QVTA5974HI2IH.exe
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\A90C7D8BF6668A947B3FB4D7D949BA6F
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\admin\Documents\shfolder.dll
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\B2E138A0A5E0FAB419EB3670D769832C
B7D2C1A3F21F9124DAE4ED51F5F7DCA9
C:\Users\Public\Documents\
3652
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
40000000000000004A4065960A52D501CC050000A00C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000004A4065960A52D501CC05000080060000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000004A4065960A52D501CC05000038090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000004A4065960A52D501CC050000500C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000B2C96E960A52D501CC05000038090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000B2C96E960A52D501CC050000A00C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000668E73960A52D501CC050000500C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000001A5378960A52D501CC05000080060000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
400000000000000008CCE79C0A52D501CC0500008006000001040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000622EEA9C0A52D501CC0500008006000001040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000CAB7F39C0A52D501CC050000A00C0000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000CAB7F39C0A52D501CC05000080060000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000CAB7F39C0A52D501CC050000500C0000E9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000241AF69C0A52D501CC050000A00C0000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000241AF69C0A52D501CC050000A00C000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000241AF69C0A52D501CC050000500C0000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000241AF69C0A52D501CC050000500C000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
40000000000000007E7CF89C0A52D501CC05000080060000E9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000007E7CF89C0A52D501CC0500008006000001000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000B618159D0A52D501CC05000080060000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000B618159D0A52D501CC050000A00C0000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000B618159D0A52D501CC050000500C0000F9030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000B618159D0A52D501CC05000080060000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000B618159D0A52D501CC050000500C0000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000B618159D0A52D501CC050000A00C0000F9030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000C43F1C9D0A52D501CC0500004C0B000002040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000B2D7959D0A52D501CC0500004C0B000002040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
40000000000000000C3A989D0A52D501CC0500004C0B0000EA030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
400000000000000074C3A19D0A52D501CC050000B40B0000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
400000000000000074C3A19D0A52D501CC050000B0080000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
400000000000000074C3A19D0A52D501CC05000024030000EA030000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000EA73B29D0A52D501CC050000B0080000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000EA73B29D0A52D501CC050000B008000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
400000000000000044D6B49D0A52D501CC050000B40B0000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000044D6B49D0A52D501CC050000B40B000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
400000000000000044D6B49D0A52D501CC05000024030000EA030000000000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000044D6B49D0A52D501CC0500002403000002000000010000000100000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000F222E29D0A52D501CC0500004C0B0000EA030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000F222E29D0A52D501CC0500004C0B0000EB030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000F222E29D0A52D501CC0500004C0B0000EC030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000A6E7E69D0A52D501CC050000E40F0000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000A6E7E69D0A52D501CC050000E40F0000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000A6E7E69D0A52D501CC050000E40F000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000A6E7E69D0A52D501CC050000F8070000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000A6E7E69D0A52D501CC0500004C0B0000EC030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000A6E7E69D0A52D501CC0500004C0B0000ED030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
40000000000000005AACEB9D0A52D501CC0500004C0B0000ED030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
40000000000000005AACEB9D0A52D501CC0500004C0B0000EE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
40000000000000000E71F09D0A52D501CC050000B40B0000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
40000000000000000E71F09D0A52D501CC050000B40B0000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000000E71F09D0A52D501CC050000B40B000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000000E71F09D0A52D501CC050000E00E0000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
400000000000000068D3F29D0A52D501CC0500004C0B0000EE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
400000000000000068D3F29D0A52D501CC0500004C0B0000F0030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
400000000000000068D3F29D0A52D501CC0500004C0B0000F0030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
400000000000000068D3F29D0A52D501CC0500004C0B0000EF030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000001C98F79D0A52D501CC050000C8050000EB030000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000D05CFC9D0A52D501CC050000C8050000EB030000000000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000D05CFC9D0A52D501CC050000C805000003000000010000000200000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000D05CFC9D0A52D501CC050000040C0000FC030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000D05CFC9D0A52D501CC0500004C0B0000EF030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000D05CFC9D0A52D501CC0500004C0B0000EB030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000D05CFC9D0A52D501CC0500004C0B000003040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000D05CFC9D0A52D501CC0500004C0B000003040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000D05CFC9D0A52D501CC0500004C0B0000FD030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
40000000000000002ABFFE9D0A52D501CC050000FC020000FD030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
4000000000000000ECAA0A9E0A52D501CC050000FC020000FD030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
4000000000000000ECAA0A9E0A52D501CC0500004C0B0000FD030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000ECAA0A9E0A52D501CC050000FC020000FE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000AE96169E0A52D501CC050000FC020000FE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
4000000000000000AE96169E0A52D501CC050000FC020000FF030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
4000000000000000AE96169E0A52D501CC050000FC020000FF030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000ECAA0A9E0A52D501CC0500004C0B0000FE030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000AE96169E0A52D501CC0500004C0B0000FE030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
4000000000000000AE96169E0A52D501CC0500004C0B0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
4000000000000000AE96169E0A52D501CC0500004C0B0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
4000000000000000AE96169E0A52D501CC0500001C07000004040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
4000000000000000AE96169E0A52D501CC0500001C07000004040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
4000000000000000AE96169E0A52D501CC0500004C0B000005040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000AE96169E0A52D501CC0500004C0B000005040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000008F9189E0A52D501CC0500004C0B0000F4030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
400000000000000008F9189E0A52D501CC0500004C0B0000F4030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
400000000000000008F9189E0A52D501CC0500004C0B0000F2030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
40000000000000001620209E0A52D501CC050000C8050000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
40000000000000001620209E0A52D501CC050000B0080000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000001620209E0A52D501CC050000F8070000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
40000000000000001620209E0A52D501CC050000B0080000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000001620209E0A52D501CC050000B008000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000001620209E0A52D501CC050000040C0000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
40000000000000001620209E0A52D501CC050000C8050000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000001620209E0A52D501CC050000C805000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
40000000000000007082229E0A52D501CC050000B40B0000F2030000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000007082229E0A52D501CC050000E00E0000FC030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
40000000000000007082229E0A52D501CC050000B40B0000F2030000000000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000007082229E0A52D501CC050000B40B000004000000010000000300000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
40000000000000007082229E0A52D501CC0500004C0B0000F2030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
40000000000000007082229E0A52D501CC0500004C0B000006040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000947F609E0A52D501CC0500004C0B000006040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000EEE1629E0A52D501CC0500004C0B0000F5030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
40000000000000006492739E0A52D501CC050000B0080000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
40000000000000006492739E0A52D501CC050000C8050000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
40000000000000006492739E0A52D501CC050000F40F0000F5030000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000006492739E0A52D501CC050000F40F0000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000006492739E0A52D501CC050000F40F000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000006492739E0A52D501CC050000B0080000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000BEF4759E0A52D501CC050000B008000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
400000000000000040C2669F0A52D501CC050000C8050000F5030000000000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000040C2669F0A52D501CC050000C805000005000000010000000400000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
400000000000000040C2669F0A52D501CC0500004C0B0000F5030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
400000000000000040C2669F0A52D501CC0500004C0B000007040000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000001EFC809F0A52D501CC0500004C0B000007040000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000785E839F0A52D501CC0500004C0B0000FB030000010000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000002C23889F0A52D501CC050000B0080000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000002C23889F0A52D501CC050000B0080000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000002C23889F0A52D501CC05000024030000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000002C23889F0A52D501CC05000024030000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000002C23889F0A52D501CC050000B40B0000FB030000010000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000002C23889F0A52D501CC050000B40B0000FB030000000000000500000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
1484
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000002C23889F0A52D501CC0500004C0B0000FB030000000000000000000000000000CCACAB7C0960FF46B6758F00608475940000000000000000
3060
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3688
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Use FormSuggest
No
3688
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FormSuggest Passwords
No
3688
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FormSuggest PW Ask
No
3688
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
AutoSuggest
No
3688
QVTA5974HI2IH.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
0skf6z8r
C:\Users\admin\Documents\QVTA5974HI2IH.exe

Files activity

Executable files
3
Suspicious files
6
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652
msiexec.exe
C:\Users\admin\Documents\shfolder.dll
executable
MD5: f6734bb3c1eef27ad0460910d09f9519
SHA256: 45b1283156911317ea3ca0c454a062d946f9f961743846085c399d6ac8fa9c03
3652
msiexec.exe
C:\Windows\Installer\MSI27DF.tmp
executable
MD5: 9f1e5d66c2889018daef4aef604eebc4
SHA256: 02a81aea451cdfa2cd6668e3b814c4e50c6025e36b70ab972a8cc68aba5b3222
3652
msiexec.exe
C:\Users\admin\Documents\QVTA5974HI2IH.exe
executable
MD5: b2218df5c3373a9a1b619e53281e9806
SHA256: 681ccc9e5bab3a23b3ce31fdc1eb8db268e79e1521e748d8f8c951d10a3a096c
3652
msiexec.exe
C:\Windows\Installer\MSI29A5.tmp
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\Config.Msi\37263c.rbs
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF732150D332154814.TMP
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\Windows\Installer\MSI2A62.tmp
binary
MD5: b0a75780ce9bf3b83379ed929c172e41
SHA256: 1518d21ab91e383cf596163c94b92b24e40878935286f08d24129c7094a410f5
3652
msiexec.exe
C:\Windows\Installer\37263b.ipi
binary
MD5: 8425ed315d8d06a02c8016c666f83977
SHA256: 7712011d8654d046cc5343eecff72a06db5fbb4de290e935c290a727c8afcec6
3652
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFDF2DDE43514ECFE5.TMP
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{7cabaccc-6009-46ff-b675-8f0060847594}_OnDiskSnapshotProp
binary
MD5: 7bb96deeef7c63c39c7d3e997f4fbe50
SHA256: a691666c7f274d3f9758e22eb5476a4836326cbf8fea8a8013a961a53999a844
1484
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\Windows\Installer\372639.msi
––
MD5:  ––
SHA256:  ––
3060
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 742c45352dba8d49c1d50698f5c1b826
SHA256: 5f31c94c45a2d4964bd996c01b3381aeeca5aa39e137e5dede0d6f72a73de793
3060
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: af215e34d00f19f406d064cb13407114
SHA256: 50efbba318045a5c270c7abe975b6575b55002e2a49e86e5e43261ccf69c92ae
3060
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 3d9a913f82da63e936c3adbe408f5c3b
SHA256: d26777b057405a730da4b7c8e678e8d78a2a5b6b1b7e7bcbe90b6f5b7074637d
3060
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
3652
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
3652
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: 7bb96deeef7c63c39c7d3e997f4fbe50
SHA256: a691666c7f274d3f9758e22eb5476a4836326cbf8fea8a8013a961a53999a844
3652
msiexec.exe
C:\Windows\Installer\37263b.ipi
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

Process Message
QVTA5974HI2IH.exe CodeSet_Init: no ICU