maze | bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735

Analysis

max time kernel
147s
max time network
6s
platform
windows7_x64
resource
win7v200430
submitted
14-07-2020 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pawufefu.msi
Size

496KB
MD5

af64b568501ce3d7e43ace3dca1183e2
SHA1

88d52d7ebe72415d1ee1ff16ffe8afda0b052df0
SHA256

bff478766c3a3962228a15fcaae1fbf8c31ec337a83496c4670cd3e704ead735
SHA512

b949b3cb7c80c38c38493b20c8e96e40343f79e265a5a1f73ecc9f1f34966e13079dcfc7b554ef67de5ab4e00f45b1dda5802f90084f5a64de8431d2d8f0943d

Score

10^/10

ransomware trojan maze persistence spyware discovery

Malware Config

Extracted

Path

C:\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6ba70cb84a895bc6 e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6ba70cb84a895bc6 b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- dLoGSBk5nHBny9HgEu6IH+9q8L9PweZITrZlbfiEBf6w3JRXL0GyMj1b4KbGwj0q8HcX7Wt5nMXNaNt9YGymRRy6aFcuJYgm0O7eHsVsZzKg30jifRkiOaRMOnfuFRq8yjOPM4WaXEiEYa3PvCsMJCyCCpMY8CEpjKVgOI8IMLPOilLHgfMIjU2g5W10QLsxZA2sGIXJT6KIvQmHhCGzLuz17kqHn7eOfm/Nh1gfI1ovj2kmTjgOVwRrAa/6LFAuAg1Kbta3XqD826FWqDTqy1/l9p1kOVgSG9owcEPy434Z+i3Wx97Hgm1WqBq4MEQLChuFSUQz2NUyOZHGe28Woy6LbfgS1YC5Hx4NDw7cUOo/07zIv5hBAzh3trc6iRi8neZyJlb97Bz4RzfqeXfJTjP1GmDkYwe1ywp+qekraDCeKM2dtj0lmaz6b8WEGa4taF5wF2Zo+dHI9I/d+QusuhWWzUv5pw/ZkdC11FXTPD8hxg/YppfyIcYPVhOHMi4SSdDL89ejxi6jOSHu00vhH+9YNvoC93Vgght5apZLVmyscsgVsX6bZFZSWLhTibpckZaazSWmR701EJ2VAZQtIsPZQCKoTOjtgnRPwjeUCMa443SRYAHo3uBPL7RioFgSQ+14WLHJJzCAKblmI74kYcWNx841/NIh5g9wGqvEwTP07W4aD0S7h7ofhfyB54c5DNNqUZ2wxfzD0HjFzDO8P0xQ4s3YcVe1KIBG3kLKo4b9H2xweFjWcrukNhXX9EPVrfgAPdW6BBWZ/lpnusez9l8Eg5gnlf/z+6E2/wypYdo+qaoxgQy8I0IOsayLDVkg5SUqTi+ap7O44ydXETlWF2ZJ8A4TnvU93ZUUMi/Ubo/IMLukz5AvxD/PQ64g0rISIT2pH+8vPKwXoiBr8UBusq3FGQl7wtM6mSkvpJ8hi4gzyGTa8mSZVn2TJxcdJchV0K/jq55LAcu7TPRafPNP6b9wz+KzTMLoYgLRvjXQeZ1ya+vubDjHujDz0gX9FdPdTRHTmPAHaAECnCAMCmlNkS1hfJNlibLmdK8fHOLtfrqiO+a0NiJfWS85JzCoU58yCREF/dryJHXZGQYjfc376/S7MgSRHBAW4twFHj8I9bVGG3ARcOGpU/Gvu3CyYW1xLg/m8IcE39+GtYL3SI1C3SqrGZ399YgtaueOEnrLZESGfwckhqSP4Nm5Fi4hKLarDGfbiwlWYTczM3G34FLs7EaXyhKx3ys42l5ZIp9ZBaxW31IxOt/VR7HaCbovcdyaSC++w5U+c8kM9CT+CuCfjZDTqhMwliBDtFIoqG+/6OYJrFWyUflzmZdUNeg3gDAteWwp8fhQl5XTtY/4lUiIoG7QJmUN4DBT7ZqfX0C6kYZCcbOZ208XA2M5NQ2nNamftlk/Id6pMVgJHdVzB7ai+0GzhYbwNr+HCqd0Nwr5Vs/u2XmKVwC4GDPIMxBEQ700MeFJ1etbJtt35WUNF2Ia8ytdU5ZzC8fbIhkyfxjL5aRylEskGqD6G3WMuEiY24600/A9/8aKZPrUgzqlyAJvGqtSaiPEwppEnkkUNWMc4IHpEu96g59aZLtc4WIbqbHQgEgp8E7wq3LsFBR92/RXYqEVZh1FmFJmM2hAX8JNYHBgjvI+R8fYcU2AEFrrJOz98Hb2j0NGOu/m3aLT85gZhFUYkRoTb2eHqPD1wGUra7EZZqV83YBRx4veab1j7b0qz2CdUc7W7FSOcWgnr3S87X+J0OYHXTXuV627xckh/L8u44y0g/PYYESX+ZB2kELq8dnuJjNy/zLkoDzY3VzpWfKTSFjkoBmAeebFAOocd5hZcWd1eAgteSdVIcvK2QXQIvhUaHllUlLaYLcqvc6ViW9yPLfXh6jGtY8oyirPeGduY58LNDVy6G9U4B/u8qUf55avFtZOQNjTiREOBnfVJGD4yvtGfDFoJfry3YLBIyH2PGLO9qw8ouKGiMT2liDc8wAI9r5jfxO1x/2Q//3uTWkGkLKbKIrfAj1BiYkRRtzWCET0eTY3PAKNzjsEeP3WNV05+y93HFgJlgq7XELYsPmkqw7x8ZMk3mIV4zUJ93cYeKAoDwsv3Y1m11pBNR4RObRFWUiGPPPCzzsYkpC3SudCr0LrGOhM81ZrqBN8BXiA/Yf83KsPp/TF60mEtuAXQcEwsKWk1f6p4w2wgUYZhXUmzfzLBTlG28MlIgOtzO7EldYTbCSZ2NT6YE6eN2W3fSVjtgoiNgBiAGEANwAwAGMAYgA4ADQAYQA4ADkANQBiAGMANgAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEQASgBSAFcARwBEAEwAWgAAACoMbgBvAG4AZQB8AAAAMi5XAGkAbgBkAG8AdwBzACAANwAgAFAAcgBvAGYAZQBzAHMAaQBvAG4AYQBsAAAAOih8AGQAZQBwAHIAZQBjAGEAdABlAGQAIAA+ACAAdgAyAC4AMwB8AAAAQjh8AEMAXwBGAF8AMgA0ADMAMwA3ADEALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw568HeByAAQGKAQUyLjMuMg== ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6ba70cb84a895bc6

https://mazedecrypt.top/6ba70cb84a895bc6

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1416	msiexec.exe
1416	msiexec.exe
1596	MsiExec.exe

Modifies service 2 TTPs 147 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 4800000000000000f0ded5b1085ad601e402000050060000e903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 4800000000000000303d0ab2085ad601e4020000d4050000f903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppCreate (Enter) = 4800000000000000709c53ab085ad6018805000040060000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 4800000000000000700a12ac085ad601e4020000d4050000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 4800000000000000b05220ac085ad601e4020000ec050000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 48000000000000001016b9b3085ad601e402000004070000eb03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 4800000000000000f07596b4085ad601e40200000c020000f203000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 4800000000000000f07596b4085ad601e402000070010000f203000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Enter) = 480000000000000050c172b4085ad601e4020000040700000504000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 4800000000000000506111b2085ad60188050000f8060000f903000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Enter) = 4800000000000000906463b3085ad601e402000090020000ea03000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 4800000000000000909bc2b3085ad601e402000004070000ee03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000f0fcc4b3085ad601e4020000400100000300000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 4800000000000000b0eb15b4085ad601e4020000040700000304000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000b03551b6085ad601e402000040010000fb03000001000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Leave) = 480000000000000030cd16ac085ad601e402000084030000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Leave) = 48000000000000007077bbb3085ad601e402000040010000eb03000000000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 4800000000000000f0fcc4b3085ad601e402000040010000eb03000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 480000000000000050c172b4085ad60188050000100700000a04000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 4800000000000000f07596b4085ad601e402000070010000f203000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 480000000000000010c6e9b4085ad601e402000004070000f503000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Enter) = 4800000000000000700a12ac085ad601e402000084030000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Enter) = 480000000000000090a6d5b3085ad601e402000070010000eb03000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 480000000000000030eaf0b4085ad601e402000090020000f503000000000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b03551b6085ad601e402000040010000fb03000000000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000f07596b4085ad601e4020000700100000400000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000b03551b6085ad601e402000040010000fb03000001000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000b0eb15b4085ad601e4020000c8020000fc03000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 4800000000000000700a12ac085ad601e402000050060000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 4800000000000000f0b289b1085ad6018805000040060000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Enter) = 4800000000000000303d0ab2085ad601e4020000ec050000f903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 4800000000000000503d8eb3085ad601e40200000c020000ea03000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Leave) = 4800000000000000b09e90b3085ad601e402000040010000ea03000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000b0eb15b4085ad601e402000070010000eb03000000000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 480000000000000050c172b4085ad601e402000088020000fe03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Leave) = 4800000000000000909e0cb2085ad601e402000050060000f903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 48000000000000001016b9b3085ad601e402000004070000ec03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 480000000000000050c172b4085ad601e40200008c0400000404000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Leave) = 48000000000000001016b9b3085ad601e402000004070000ea03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000b0eb15b4085ad601e4020000700100000300000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000f0545db4085ad601e402000088020000fd03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\THAW (Leave) = 4800000000000000f07596b4085ad601e402000040010000f203000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 48000000000000009072c0b1085ad6018805000038050000e903000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000b0eb15b4085ad601e402000004070000ef03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000b0eb15b4085ad601e402000004070000fd03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000b0eb15b4085ad601e402000088020000fd03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 4800000000000000b02275b4085ad6018805000040060000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 480000000000000050d798b4085ad601e4020000040700000604000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 480000000000000030eaf0b4085ad601e402000070010000f503000000000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 4800000000000000b0d839b2085ad601e4020000040700000204000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Leave) = 480000000000000010c6e9b4085ad601e4020000040700000604000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 4800000000000000f0c21bb5085ad601e402000004070000f503000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000b09e90b3085ad601e4020000400100000200000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 4800000000000000f0fcc4b3085ad601e402000040010000eb03000000000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 4800000000000000d0e3d0b3085ad601e402000004070000f003000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 48000000000000007077bbb3085ad601e402000040010000eb03000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 4800000000000000d0e3d0b3085ad601e402000004070000f003000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 4800000000000000f0c21bb5085ad601e4020000040700000704000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Enter) = 480000000000000090114ab6085ad601e402000004070000fb03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 48000000000000003027e4b1085ad601e402000050060000e903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000b07d57b3085ad601e4020000040700000204000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 4800000000000000907dd3b1085ad601e4020000ec050000e903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 4800000000000000f0545db4085ad601e402000004070000fe03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 480000000000000050c172b4085ad601e402000004070000f403000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000f0c21bb5085ad601e4020000d80100000500000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000d0c5e1b1085ad601e4020000d40500000100000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Enter) = 4800000000000000d0d8bdb3085ad601e402000004070000ed03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 4800000000000000d0e3d0b3085ad601e402000004070000ee03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_RELEASE (Leave) = 480000000000000050c172b4085ad601e402000004070000ff0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000f07596b4085ad601e402000040020000fc03000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW (Leave) = 480000000000000050d798b4085ad601e402000004070000f203000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPAREBACKUP (Leave) = 4800000000000000d0c5e1b1085ad601e4020000d4050000e903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_STABLE (SetCurrentState) = 48000000000000003027e4b1085ad601e4020000500600000100000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 4800000000000000909e0cb2085ad601e4020000d4050000f903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppCreate (Leave) = 4800000000000000b02275b4085ad6018805000040060000d00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000f07596b4085ad601e4020000400100000400000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 480000000000000030eaf0b4085ad601e4020000700100000500000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 4800000000000000d0afbbb1085ad601e4020000ec0500000104000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 4800000000000000d0c5e1b1085ad601e4020000ec050000e903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b03551b6085ad601e402000040010000fb03000000000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 4800000000000000906463b3085ad601e402000040010000ea03000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000f0fcc4b3085ad601e4020000b4020000fc03000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 4800000000000000b0eb15b4085ad601e4020000040700000304000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 480000000000000050c172b4085ad601e402000004070000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 480000000000000030eaf0b4085ad601e402000090020000f503000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Leave) = 4800000000000000f0c21bb5085ad601e4020000d8010000f503000000000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 480000000000000050e60aac085ad6018805000010040000e803000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 4800000000000000902e19ac085ad601e4020000d4050000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 4800000000000000d0afbbb1085ad601e4020000ec0500000104000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 48000000000000007077bbb3085ad601e4020000400100000300000001000000020000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 4800000000000000709c53ab085ad6018805000040060000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000503d8eb3085ad601e4020000900200000200000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000b03551b6085ad601e402000040010000fb03000001000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000b03551b6085ad601e402000040010000fb03000000000000050000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\IOCTL_RELEASE (Enter) = 480000000000000050c172b4085ad601e402000088020000ff03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 480000000000000050c172b4085ad601e402000004070000f403000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000f07596b4085ad601e4020000c8020000fc03000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 480000000000000050c172b4085ad601e4020000040700000504000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 4800000000000000d088eeb4085ad601e4020000d8010000f503000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 4800000000000000907dd3b1085ad601e4020000d4050000e903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 4800000000000000b07d57b3085ad601e402000004070000ea03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000503d8eb3085ad601e40200000c0200000200000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_RM (Enter) = 4800000000000000d0e3d0b3085ad601e402000004070000ef03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000f0545db4085ad601e402000004070000fd03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 4800000000000000f07596b4085ad601e4020000b4020000fc03000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Leave) = 4800000000000000909878b5085ad601e4020000040700000704000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 4800000000000000906463b3085ad601e40200000c020000ea03000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 4800000000000000b0eb15b4085ad601e402000004070000eb03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 4800000000000000f07596b4085ad601e40200000c0200000400000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\GETSTATE (Enter) = 4800000000000000101903b2085ad60188050000f8060000f903000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000007077bbb3085ad601e402000040020000fc03000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 4800000000000000f0545db4085ad601e402000088020000fe03000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{ef8b9384-8b17-11ea-a5f6-806e6f6e6963}_)\IOCTL_RELEASE (Leave) = 480000000000000050c172b4085ad601e402000088020000ff03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 480000000000000050c172b4085ad601e402000004070000fe03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\THAW (Leave) = 4800000000000000f07596b4085ad601e40200000c020000f203000000000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 4800000000000000109753b6085ad601e402000004070000fb03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 4800000000000000d0c5e1b1085ad601e4020000ec0500000100000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\THAW (Enter) = 480000000000000050c172b4085ad601e402000004070000f203000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 480000000000000030eaf0b4085ad601e4020000900200000500000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer\IDENTIFY (Enter) = 4800000000000000700a12ac085ad601e4020000ec050000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 4800000000000000902e19ac085ad601e402000050060000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 4800000000000000909e0cb2085ad601e4020000ec050000f903000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer\THAW (Enter) = 4800000000000000f07596b4085ad601e402000040010000f203000001000000030000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\IDENTIFY (Leave) = 4800000000000000d0f7c1ae085ad6018805000010040000e803000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 4800000000000000507737b2085ad60188050000400600000a04000001000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 4800000000000000d088eeb4085ad601e402000070010000f503000001000000040000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 4800000000000000f0b289b1085ad6018805000040060000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 4800000000000000b080a1b1085ad6018805000040060000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 4800000000000000101903b2085ad6018805000038050000e903000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 4800000000000000503d8eb3085ad601e402000090020000ea03000000000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Leave) = 4800000000000000909bc2b3085ad601e402000004070000ed03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 480000000000000050c172b4085ad601e40200008c0400000404000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 4800000000000000902306ac085ad6018805000040060000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Enter) = 4800000000000000303d0ab2085ad601e402000050060000f903000001000000010000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Leave) = 4800000000000000d0d8bdb3085ad601e402000004070000ec03000000000000000000000000000043f6c9b7e7de8c49ae256019349ead1900000000000000000000000000000000	vssvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\1ca41.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE38.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\1ca40.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\1ca40.msi	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
904	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1416 wrote to memory of 1596	1416	msiexec.exe	28
PID 1596 wrote to memory of 1044	1596	MsiExec.exe	33
PID 1596 wrote to memory of 1044	1596	MsiExec.exe	33
PID 1596 wrote to memory of 1044	1596	MsiExec.exe	33
PID 1596 wrote to memory of 1044	1596	MsiExec.exe	33

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ba70cb84a895bc6.tmp	MsiExec.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6ba70cb84a895bc6.tmp	MsiExec.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ResetSync.emz	MsiExec.exe
File opened for modification	C:\Program Files\UninstallEnable.xlsb	MsiExec.exe
File created	C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Program Files\CloseUnlock.i64	MsiExec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\Desktop\6ba70cb84a895bc6.tmp	MsiExec.exe
File opened for modification	C:\Program Files\PingComplete.xht	MsiExec.exe
File created	C:\Program Files\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Program Files\WaitResolve.jpg	MsiExec.exe
File opened for modification	C:\Program Files\WriteSplit.doc	MsiExec.exe
File opened for modification	C:\Program Files\MeasureUnblock.vb	MsiExec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server Compact Edition\6ba70cb84a895bc6.tmp	MsiExec.exe
File created	C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\6ba70cb84a895bc6.tmp	MsiExec.exe
File opened for modification	C:\Program Files\SubmitStep.mpeg	MsiExec.exe
File opened for modification	C:\Program Files\EnableUse.mpg	MsiExec.exe
File opened for modification	C:\Program Files\GroupSelect.MTS	MsiExec.exe
File opened for modification	C:\Program Files\PingImport.svgz	MsiExec.exe
File opened for modification	C:\Program Files\WriteCopy.7z	MsiExec.exe
File created	C:\Program Files (x86)\pawufefu\ReadMe.txt	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Program Files\PopExit.mpe	MsiExec.exe
File opened for modification	C:\Program Files\RegisterResume.m3u	MsiExec.exe
File opened for modification	C:\Program Files\RestoreMeasure.vst	MsiExec.exe
File opened for modification	C:\Program Files\StartInvoke.ini	MsiExec.exe
File opened for modification	C:\Program Files\SubmitConnect.mp2v	MsiExec.exe
File opened for modification	C:\Program Files\UpdateUninstall.wm	MsiExec.exe
File opened for modification	C:\Program Files\6ba70cb84a895bc6.tmp	MsiExec.exe
File created	C:\Program Files (x86)\DECRYPT-FILES.txt	MsiExec.exe
File opened for modification	C:\Program Files\RedoMove.jpeg	MsiExec.exe
File opened for modification	C:\Program Files\SubmitPop.au3	MsiExec.exe
File opened for modification	C:\Program Files (x86)\6ba70cb84a895bc6.tmp	MsiExec.exe
File opened for modification	C:\Program Files\ConvertCheckpoint.wps	MsiExec.exe
File opened for modification	C:\Program Files\DisableResize.mov	MsiExec.exe
File opened for modification	C:\Program Files\SplitPublish.docx	MsiExec.exe
File opened for modification	C:\Program Files\SuspendSet.fon	MsiExec.exe
File opened for modification	C:\Program Files\CopyClear.php	MsiExec.exe

Loads dropped DLL 1 IoCs

pid	Process
1596	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
904	msiexec.exe

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp"	MsiExec.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 97 IoCs

description	pid	Process
Token: SeShutdownPrivilege	904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeSecurityPrivilege	1416	msiexec.exe
Token: SeCreateTokenPrivilege	904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	904	msiexec.exe
Token: SeLockMemoryPrivilege	904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	904	msiexec.exe
Token: SeMachineAccountPrivilege	904	msiexec.exe
Token: SeTcbPrivilege	904	msiexec.exe
Token: SeSecurityPrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeLoadDriverPrivilege	904	msiexec.exe
Token: SeSystemProfilePrivilege	904	msiexec.exe
Token: SeSystemtimePrivilege	904	msiexec.exe
Token: SeProfSingleProcessPrivilege	904	msiexec.exe
Token: SeIncBasePriorityPrivilege	904	msiexec.exe
Token: SeCreatePagefilePrivilege	904	msiexec.exe
Token: SeCreatePermanentPrivilege	904	msiexec.exe
Token: SeBackupPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeShutdownPrivilege	904	msiexec.exe
Token: SeDebugPrivilege	904	msiexec.exe
Token: SeAuditPrivilege	904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	904	msiexec.exe
Token: SeChangeNotifyPrivilege	904	msiexec.exe
Token: SeRemoteShutdownPrivilege	904	msiexec.exe
Token: SeUndockPrivilege	904	msiexec.exe
Token: SeSyncAgentPrivilege	904	msiexec.exe
Token: SeEnableDelegationPrivilege	904	msiexec.exe
Token: SeManageVolumePrivilege	904	msiexec.exe
Token: SeImpersonatePrivilege	904	msiexec.exe
Token: SeCreateGlobalPrivilege	904	msiexec.exe
Token: SeBackupPrivilege	740	vssvc.exe
Token: SeRestorePrivilege	740	vssvc.exe
Token: SeAuditPrivilege	740	vssvc.exe
Token: SeBackupPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1736	DrvInst.exe
Token: SeLoadDriverPrivilege	1736	DrvInst.exe
Token: SeLoadDriverPrivilege	1736	DrvInst.exe
Token: SeLoadDriverPrivilege	1736	DrvInst.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1044	wmic.exe
Token: SeSecurityPrivilege	1044	wmic.exe
Token: SeTakeOwnershipPrivilege	1044	wmic.exe
Token: SeLoadDriverPrivilege	1044	wmic.exe
Token: SeSystemProfilePrivilege	1044	wmic.exe
Token: SeSystemtimePrivilege	1044	wmic.exe
Token: SeProfSingleProcessPrivilege	1044	wmic.exe
Token: SeIncBasePriorityPrivilege	1044	wmic.exe
Token: SeCreatePagefilePrivilege	1044	wmic.exe
Token: SeBackupPrivilege	1044	wmic.exe
Token: SeRestorePrivilege	1044	wmic.exe
Token: SeShutdownPrivilege	1044	wmic.exe
Token: SeDebugPrivilege	1044	wmic.exe
Token: SeSystemEnvironmentPrivilege	1044	wmic.exe
Token: SeRemoteShutdownPrivilege	1044	wmic.exe
Token: SeUndockPrivilege	1044	wmic.exe
Token: SeManageVolumePrivilege	1044	wmic.exe
Token: 33	1044	wmic.exe
Token: 34	1044	wmic.exe
Token: 35	1044	wmic.exe
Token: SeIncreaseQuotaPrivilege	1044	wmic.exe
Token: SeSecurityPrivilege	1044	wmic.exe
Token: SeTakeOwnershipPrivilege	1044	wmic.exe
Token: SeLoadDriverPrivilege	1044	wmic.exe
Token: SeSystemProfilePrivilege	1044	wmic.exe
Token: SeSystemtimePrivilege	1044	wmic.exe
Token: SeProfSingleProcessPrivilege	1044	wmic.exe
Token: SeIncBasePriorityPrivilege	1044	wmic.exe
Token: SeCreatePagefilePrivilege	1044	wmic.exe
Token: SeBackupPrivilege	1044	wmic.exe
Token: SeRestorePrivilege	1044	wmic.exe
Token: SeShutdownPrivilege	1044	wmic.exe
Token: SeDebugPrivilege	1044	wmic.exe
Token: SeSystemEnvironmentPrivilege	1044	wmic.exe
Token: SeRemoteShutdownPrivilege	1044	wmic.exe
Token: SeUndockPrivilege	1044	wmic.exe
Token: SeManageVolumePrivilege	1044	wmic.exe
Token: 33	1044	wmic.exe
Token: 34	1044	wmic.exe
Token: 35	1044	wmic.exe

Checks for installed software on the system 1 TTPs 82 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	msiexec.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	msiexec.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	msiexec.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	msiexec.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	msiexec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\pawufefu.msi
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious behavior: EnumeratesProcesses
- Modifies service
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:1416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15036E46850F1781B7A632B2A8575AC1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Drops startup file
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  PID:1596
- - C:\Windows\system32\wbem\wmic.exe
    "C:\f\apkoa\aapk\..\..\..\Windows\erl\..\system32\ttpf\..\wbem\moor\..\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005A0" "0000000000000574"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-0-0x0000000003360000-0x0000000003364000-memory.dmp

Filesize
16KB

Download
memory/904-1-0x0000000004250000-0x0000000004254000-memory.dmp

Filesize
16KB

Download
memory/1416-14-0x0000000001230000-0x0000000001234000-memory.dmp

Filesize
16KB

Download
memory/1416-12-0x0000000004660000-0x0000000004664000-memory.dmp

Filesize
16KB

Download
memory/1416-11-0x0000000001230000-0x0000000001234000-memory.dmp

Filesize
16KB

Download
memory/1416-10-0x0000000001230000-0x0000000001234000-memory.dmp

Filesize
16KB

Download
memory/1416-9-0x0000000001380000-0x0000000001384000-memory.dmp

Filesize
16KB

Download
memory/1416-4-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/1416-3-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/1596-18-0x0000000000CC0000-0x0000000000D1D000-memory.dmp

Filesize
372KB

Download
memory/1596-20-0x0000000000CC0000-0x0000000000D1D000-memory.dmp

Filesize
372KB

Download