2461d5d8eb8bfaa6b178fe2c457c215bbea85443a7d33bb007aa7dce52428d18

Analysis

max time kernel
142s
max time network
141s
platform
windows10_x64
resource
win10
submitted
09-07-2020 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3.msi
Size

2.7MB
MD5

37d4011965747658d3a4dce01d375677
SHA1

a6ecd3a818d463155c31977000e6fde3eb8a2352
SHA256

2461d5d8eb8bfaa6b178fe2c457c215bbea85443a7d33bb007aa7dce52428d18
SHA512

9bdb506ae47b731efbdaedac5a95cc3e9d915f6a0de4b359e991c33e39cbc1072c47e10aeb35adf9d7a071d340346be09d8602f15d0faba346961751cf642329

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2680	ypoc.exe
3876	policy.exe

Loads dropped DLL 4 IoCs

pid	Process
1784	MsiExec.exe
1784	MsiExec.exe
3876	policy.exe
3876	policy.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft.Data.Sqlite.dll	policy.exe
File created	C:\Windows\SysWOW64\System.IO.Compression.dll	policy.exe
File created	C:\Windows\SysWOW64\System.IO.Compression.FileSystem.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Runtime.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Xml.XPath.XDocument.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Data.Common.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Net.Http.dll	policy.exe
File created	C:\Windows\SysWOW64\SQLitePCLRaw.core.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Globalization.Extensions.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Runtime.Serialization.Primitives.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Security.SecureString.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Diagnostics.StackTrace.dll	policy.exe
File created	C:\Windows\SysWOW64\SQLitePCLRaw.batteries_v2.dll	policy.exe
File created	C:\Windows\SysWOW64\SQLitePCLRaw.nativelibrary.DLL	policy.exe
File created	C:\Windows\SysWOW64\System.Runtime.CompilerServices.Unsafe.DLL	policy.exe
File created	C:\Windows\SysWOW64\id	policy.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.Data.Sqlite.dll	policy.exe
File created	C:\Windows\SysWOW64\SQLitePCLRaw.provider.dynamic_cdecl.DLL	policy.exe
File created	C:\Windows\SysWOW64\System.Numerics.Vectors.DLL	policy.exe
File created	C:\Windows\SysWOW64\netstandard.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Memmory.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Memory.DLL	policy.exe
File created	C:\Windows\SysWOW64\System.Net.Sockets.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Runtime.InteropServices.RuntimeInformation.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Runtime.Serialization.Xml.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Security.Cryptography.Algorithms.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Threading.Overlapped.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Buffers.dll	policy.exe
File created	C:\Windows\SysWOW64\runtimes\win-x64\native\e_sqlite3.dll	policy.exe
File created	C:\Windows\SysWOW64\runtimes\win-x86\native\e_sqlite3.dll	policy.exe
File created	C:\Windows\SysWOW64\System.ValueTuple.dll	policy.exe
File created	C:\Windows\SysWOW64\System.Diagnostics.Tracing.dll	policy.exe
File created	C:\Windows\SysWOW64\Policy.exe	policy.exe

Modifies service 2 TTPs 161 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 48000000000000001264733fed55d6018c0d00004c070000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 480000000000000076876f46ed55d6018c0d0000f001000001040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 480000000000000076876f46ed55d6019009000080020000e9030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 4800000000000000abea7146ed55d6018c0d0000f0010000e9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 4800000000000000fc719a46ed55d601900900009c020000f9030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Enter) = 4800000000000000d6c62f48ed55d6018c0d0000f4040000ff030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000d6c62f48ed55d6018c0d000088020000fe030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Leave) = 48000000000000002a2e5947ed55d6018c0d000088020000ed030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000e4e83648ed55d6018c0d0000ec03000004000000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Leave) = 48000000000000009e227048ed55d6018c0d00008802000006040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Enter) = 4800000000000000fc719a46ed55d6018c0d0000f0010000f9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 480000000000000076546047ed55d6018c0d000088020000f0030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 4800000000000000d6c62f48ed55d6018c0d0000c804000004040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 48000000000000009e227048ed55d6018c0d0000f0030000f5030000000000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 4800000000000000fc719a46ed55d6018c0d00004c070000f9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Leave) = 4800000000000000f7b84347ed55d6018c0d0000f0030000eb030000000000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 4800000000000000e4e83648ed55d6018c0d0000ec030000f2030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Leave) = 4800000000000000bb477748ed55d6018c0d0000f4030000f5030000000000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 4800000000000000ef819148ed55d6018c0d000088020000f5030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 4800000000000000a68a7a3fed55d6018c0d00004c070000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 48000000000000009f020946ed55d60190090000cc0b0000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 480000000000000078129846ed55d6019009000080020000e9030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Leave) = 480000000000000084f43e47ed55d6018c0d000088020000ea030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 48000000000000002a2e5947ed55d6018c0d0000ec03000003000000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 48000000000000009782b048ed55d6018c0d0000ec030000fb030000000000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Enter) = 48000000000000001264733fed55d6018c0d0000f0010000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 48000000000000008bee7c3fed55d6018c0d0000f0010000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Enter) = 480000000000000076546047ed55d6018c0d000088020000ef030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000938c5b3fed55d60190090000cc0b0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 4800000000000000fc719a46ed55d6018c0d0000f0010000f9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 4800000000000000a095df46ed55d6018c0d000090030000ea030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Leave) = 48000000000000005b9fea47ed55d6018c0d0000f4030000eb030000000000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 48000000000000005b9fea47ed55d6018c0d00008802000003040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 4800000000000000d6c62f48ed55d6018c0d000088020000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 48000000000000009031c148ed55d6015005000084050000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000d6c62f48ed55d6018c0d0000f4040000fe030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000d4a7b748ed55d6015005000084050000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 4800000000000000c6163b46ed55d60190090000cc0b0000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Enter) = 48000000000000009782b048ed55d6018c0d0000ec030000fb030000010000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 4800000000000000fc719a46ed55d6018c0d0000f0010000f9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000dd74d846ed55d6018c0d00008802000002040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Enter) = 4800000000000000a095df46ed55d6018c0d0000ec030000ea030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Enter) = 4800000000000000d6c62f48ed55d6018c0d00008802000005040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 480000000000000036cfbe48ed55d6015005000084050000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 48000000000000002a2e5947ed55d6018c0d0000ec030000eb030000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Enter) = 480000000000000076546047ed55d6018c0d0000f4030000eb030000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 48000000000000005b9fea47ed55d6018c0d0000f403000003000000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000005b9fea47ed55d6018c0d0000cc040000fc030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Leave) = 4800000000000000d6c62f48ed55d6018c0d000088020000ff0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 48000000000000009782b048ed55d6018c0d000088020000fb030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000009031c148ed55d6015005000084050000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 48000000000000009f020946ed55d60190090000cc0b0000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000f7b84347ed55d6018c0d0000a0040000fc030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 48000000000000009e227048ed55d6018c0d000088020000f5030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 480000000000000078da693fed55d60190090000cc0b0000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 48000000000000002a2e5947ed55d6018c0d0000ec030000eb030000000000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000002a2e5947ed55d6018c0d0000bc040000fc030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000004e881548ed55d6018c0d0000f4040000fe030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000bb477748ed55d6018c0d0000f403000005000000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 4800000000000000856e9d48ed55d6015005000084050000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Leave) = 4800000000000000babcab48ed55d6018c0d00008802000007040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000dd09ba48ed55d6015005000084050000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 4800000000000000d6ef3e3fed55d60190090000cc0b0000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 4800000000000000c5ee5d3fed55d60190090000cc0b0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Enter) = 48000000000000001264733fed55d6018c0d0000800d0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000abea7146ed55d6018c0d00004c070000e9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 48000000000000008463a646ed55d60190090000cc0b00000a040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 4800000000000000a68a7a3fed55d6018c0d0000a00c0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 480000000000000076876f46ed55d6018c0d0000f001000001040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 4800000000000000224c7446ed55d6018c0d00004c070000e9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 480000000000000076546047ed55d6018c0d000088020000f0030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Leave) = 48000000000000004e881548ed55d6018c0d0000f4040000fd030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 480000000000000001253248ed55d6018c0d000088020000f4030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4800000000000000d6ef3e3fed55d60190090000cc0b0000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Leave) = 480000000000000056deb542ed55d60190090000880f0000e8030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 480000000000000084f43e47ed55d6018c0d000088020000eb030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Enter) = 48000000000000005b9fea47ed55d6018c0d0000f4040000fd030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000e4e83648ed55d60190090000cc0b0000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 480000000000000006ad3b48ed55d6018c0d00008802000006040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP	srtasks.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Enter) = 480000000000000001253248ed55d6018c0d000088020000f2030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 480000000000000001253248ed55d60190090000280300000a040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 4800000000000000e4e83648ed55d6018c0d0000f0030000f2030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000ba4a3948ed55d6018c0d0000f403000004000000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Leave) = 480000000000000006ad3b48ed55d6018c0d000088020000f2030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 4800000000000000f7b84347ed55d6018c0d0000f0030000eb030000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 4800000000000000ef819148ed55d6018c0d00008802000007040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000d4a7b748ed55d6015005000084050000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Enter) = 4800000000000000fc719a46ed55d6018c0d00004c070000f9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 48000000000000004282eb46ed55d6018c0d000090030000ea030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Leave) = 4800000000000000a68a7a3fed55d6018c0d0000800d0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Leave) = 4800000000000000a0e04a47ed55d6018c0d000088020000ec030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 48000000000000004e881548ed55d6018c0d000088020000fe030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 4800000000000000ba4a3948ed55d6018c0d0000f4030000f2030000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 48000000000000004282eb46ed55d6018c0d00009003000002000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 48000000000000004e881548ed55d6018c0d000088020000fd030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000ba4a3948ed55d6018c0d0000bc040000fc030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 48000000000000009782b048ed55d6018c0d0000f4030000fb030000010000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 48000000000000009031c148ed55d6015005000084050000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	srtasks.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000f7b84347ed55d6018c0d0000f003000003000000010000000200000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 48000000000000005b9fea47ed55d6018c0d000088020000eb030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 48000000000000005b9fea47ed55d6018c0d000088020000fd030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 4800000000000000e4e83648ed55d6018c0d0000f0030000f2030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Enter) = 4800000000000000b21eae48ed55d6018c0d000088020000fb030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 48000000000000006b3c6c3fed55d60190090000880f0000e8030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000224c7446ed55d6018c0d00004c07000001000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 4800000000000000c1d2da46ed55d6018c0d000088020000ea030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 48000000000000009e227048ed55d6018c0d0000f003000005000000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Leave) = 4800000000000000e4e83648ed55d60190090000cc0b0000d00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 48000000000000009e227048ed55d6018c0d0000f4030000f5030000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 48000000000000001264733fed55d6018c0d0000a00c0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000c6e6ed46ed55d6018c0d00008403000002000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 48000000000000005b9fea47ed55d6018c0d000088020000ef030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 480000000000000001253248ed55d6018c0d00008802000005040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Leave) = 4800000000000000e4e83648ed55d6018c0d0000ec030000f2030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000224c7446ed55d6018c0d0000800d000001000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 4800000000000000c6e6ed46ed55d6018c0d0000ec030000ea030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000c6e6ed46ed55d6018c0d0000ec03000002000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Leave) = 4800000000000000d6c62f48ed55d6018c0d0000f4040000ff030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 480000000000000001253248ed55d6018c0d000088020000f4030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Leave) = 4800000000000000ba4a3948ed55d6018c0d0000f4030000f2030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 48000000000000009e227048ed55d6018c0d0000f0030000f5030000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 4800000000000000c5ee5d3fed55d60190090000cc0b0000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000224c7446ed55d6018c0d0000f001000001000000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 48000000000000009782b048ed55d6018c0d0000ec030000fb030000000000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Enter) = 480000000000000078129846ed55d601900900009c020000f9030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 48000000000000008463a646ed55d6018c0d00008802000002040000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 48000000000000002a2e5947ed55d6018c0d000088020000ee030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 48000000000000005b9fea47ed55d6018c0d00008802000003040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 4800000000000000abea7146ed55d6018c0d0000800d0000e9030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 4800000000000000224c7446ed55d6018c0d0000800d0000e9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000a095df46ed55d6018c0d000084030000ea030000010000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Leave) = 4800000000000000c6e6ed46ed55d6018c0d000084030000ea030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 480000000000000076546047ed55d6018c0d000088020000ee030000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 48000000000000009782b048ed55d6018c0d0000ec030000fb030000010000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{9563bb1f-0000-0000-0000-500600000000}_)	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Leave) = 4800000000000000fc719a46ed55d6018c0d0000f0010000f9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000e4e83648ed55d6018c0d0000a0040000fc030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 48000000000000009e227048ed55d6018c0d0000ec030000f5030000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 48000000000000009782b048ed55d6018c0d0000f4030000fb030000000000000500000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 4800000000000000c5ee5d3fed55d60190090000cc0b0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Leave) = 4800000000000000224c7446ed55d6018c0d0000f0010000e9030000000000000100000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 480000000000000084f43e47ed55d6018c0d000088020000ec030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Enter) = 4800000000000000a0e04a47ed55d6018c0d000088020000ed030000010000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 4800000000000000d6c62f48ed55d6018c0d0000c804000004040000000000000000000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000e4e83648ed55d6018c0d0000cc040000fc030000000000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000e4e83648ed55d6018c0d0000f003000004000000010000000300000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 48000000000000009e227048ed55d6018c0d0000ec030000f5030000000000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 48000000000000009e227048ed55d6018c0d0000ec03000005000000010000000400000000000000e5e142a5448131478a848bceef75e27d00000000000000000000000000000000	vssvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4052.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\13ad1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\13ad1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DFF.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A306ABF7-7196-4199-BEBF-F9EADEBBCA8A}	msiexec.exe
File created	C:\Windows\Installer\13ad9.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 96 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\aero_arrow.cur"	policy.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	msiexec.exe
2448	msiexec.exe

Suspicious use of AdjustPrivilegeToken 204 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3856	msiexec.exe
Token: SeSecurityPrivilege	2448	msiexec.exe
Token: SeCreateTokenPrivilege	3856	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3856	msiexec.exe
Token: SeLockMemoryPrivilege	3856	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3856	msiexec.exe
Token: SeMachineAccountPrivilege	3856	msiexec.exe
Token: SeTcbPrivilege	3856	msiexec.exe
Token: SeSecurityPrivilege	3856	msiexec.exe
Token: SeTakeOwnershipPrivilege	3856	msiexec.exe
Token: SeLoadDriverPrivilege	3856	msiexec.exe
Token: SeSystemProfilePrivilege	3856	msiexec.exe
Token: SeSystemtimePrivilege	3856	msiexec.exe
Token: SeProfSingleProcessPrivilege	3856	msiexec.exe
Token: SeIncBasePriorityPrivilege	3856	msiexec.exe
Token: SeCreatePagefilePrivilege	3856	msiexec.exe
Token: SeCreatePermanentPrivilege	3856	msiexec.exe
Token: SeBackupPrivilege	3856	msiexec.exe
Token: SeRestorePrivilege	3856	msiexec.exe
Token: SeShutdownPrivilege	3856	msiexec.exe
Token: SeDebugPrivilege	3856	msiexec.exe
Token: SeAuditPrivilege	3856	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3856	msiexec.exe
Token: SeChangeNotifyPrivilege	3856	msiexec.exe
Token: SeRemoteShutdownPrivilege	3856	msiexec.exe
Token: SeUndockPrivilege	3856	msiexec.exe
Token: SeSyncAgentPrivilege	3856	msiexec.exe
Token: SeEnableDelegationPrivilege	3856	msiexec.exe
Token: SeManageVolumePrivilege	3856	msiexec.exe
Token: SeImpersonatePrivilege	3856	msiexec.exe
Token: SeCreateGlobalPrivilege	3856	msiexec.exe
Token: SeBackupPrivilege	3468	vssvc.exe
Token: SeRestorePrivilege	3468	vssvc.exe
Token: SeAuditPrivilege	3468	vssvc.exe
Token: SeBackupPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	1360	srtasks.exe
Token: SeRestorePrivilege	1360	srtasks.exe
Token: SeSecurityPrivilege	1360	srtasks.exe
Token: SeTakeOwnershipPrivilege	1360	srtasks.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeBackupPrivilege	1360	srtasks.exe
Token: SeRestorePrivilege	1360	srtasks.exe
Token: SeSecurityPrivilege	1360	srtasks.exe
Token: SeTakeOwnershipPrivilege	1360	srtasks.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeRestorePrivilege	2448	msiexec.exe
Token: SeTakeOwnershipPrivilege	2448	msiexec.exe
Token: SeDebugPrivilege	3876	policy.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3856	msiexec.exe
3856	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1360	2448	msiexec.exe	72
PID 2448 wrote to memory of 1360	2448	msiexec.exe	72
PID 2448 wrote to memory of 1784	2448	msiexec.exe	74
PID 2448 wrote to memory of 1784	2448	msiexec.exe	74
PID 2448 wrote to memory of 1784	2448	msiexec.exe	74
PID 2448 wrote to memory of 2680	2448	msiexec.exe	75
PID 2448 wrote to memory of 2680	2448	msiexec.exe	75
PID 2448 wrote to memory of 2680	2448	msiexec.exe	75
PID 2680 wrote to memory of 3876	2680	ypoc.exe	76
PID 2680 wrote to memory of 3876	2680	ypoc.exe	76
PID 2680 wrote to memory of 3876	2680	ypoc.exe	76

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Modifies service
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DE7FDBCF64EB5B56CF9A29CF0A348C9
  2⤵
  - Loads dropped DLL
  PID:1784
- C:\Users\Admin\AppData\Local\microsoft\Mediia\ypoc.exe
  "C:\Users\Admin\AppData\Local\microsoft\Mediia\ypoc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Localpolicy\policy.exe
    "C:\Users\Admin\AppData\Localpolicy\policy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies Control Panel
    PID:3876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3468

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-42-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-67-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-44-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-45-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-29-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-31-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-32-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-33-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-35-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-36-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-38-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-39-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-41-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-66-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-26-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-47-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-28-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-48-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-50-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-51-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-53-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-54-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-56-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-57-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-59-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-60-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-61-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-63-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download
memory/2448-64-0x0000019473AB0000-0x0000019473AB1000-memory.dmp

Filesize
4KB

Download