Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
6ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
03/07/2024, 22:59
240703-2yn7wszhlp 1003/07/2024, 16:13
240703-tn93lsyglf 1003/07/2024, 16:11
240703-tm84xsyfma 1010/05/2024, 16:25
240510-tw1h5shh47 1024/08/2023, 11:16
230824-nda8msdf8z 10Analysis
-
max time kernel
338s -
max time network
357s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
22/11/2020, 06:42
Static task
static1
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Endermanch@NavaShield(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
-
Size
860KB
-
MD5
b3dce5c3f95a18fd076fad0f73bb9e39
-
SHA1
e80cc285a77302ee221f47e4e94823d4b2eba368
-
SHA256
df2e3b2222dcdbb5e0dbdd1200ec8fd5f67fcbea99e0023df54307eab60030ff
-
SHA512
c184436055cf74884ad0d2bd5ca00bcd5a62d6be46253fe8c71b4daaa5c710b9df34af1b6e41f6d1af94bcdec0d33679a6a1b34bf9755678b4e177f368c11d4c
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,\"C:\\Program Files (x86)\\Def Group\\PC Defender\\pcdef.exe\"" MsiExec.exe -
Executes dropped EXE 2 IoCs
pid Process 3936 rundelay.exe 3960 rundelay.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Modifies service 2 TTPs 162 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Leave) = 48000000000000003aeefee3a3c0d601640e00001c0b0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000097489feea3c0d601640e0000c40b00000100000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Leave) = 4800000000000000278c86efa3c0d601640e00008c0e0000ea03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Enter) = 4800000000000000e43632f0a3c0d601640e00008c0e00000604000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000001000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 48000000000000005dd4e6f6a3c0d6014c0500002c090000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Enter) = 480000000000000071a736e3a3c0d601e00200002c0c0000d50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Leave) = 4800000000000000b7afeaefa3c0d601640e00008c0e0000eb03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Leave) = 4800000000000000c54926f0a3c0d601640e00008c0e0000ff0300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Leave) = 4800000000000000e43632f0a3c0d601640e00008c0e0000f203000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 48000000000000009e1e7cf0a3c0d601640e00000c0900000500000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000643713f0a3c0d601640e00008c0e0000fd03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Leave) = 4800000000000000c3ac28f0a3c0d601640e00008c0e00000504000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Leave) = 4800000000000000c3ac28f0a3c0d601640e00008c0e0000f403000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Leave) = 48000000000000006cd32ff0a3c0d601640e00000c090000f203000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Leave) = 48000000000000005c9129efa3c0d601640e0000f8080000ea03000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Enter) = 48000000000000009e1e7cf0a3c0d601640e00000c090000f503000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Leave) = 4800000000000000deb9b7f0a3c0d601640e00008c0e0000f503000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000b7afeaefa3c0d601640e00008c0e0000fd03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Enter) = 4800000000000000643713f0a3c0d601640e00008c0e0000fe03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore\SrCreateRp (Leave) = 48000000000000006cd32ff0a3c0d601e00200002c0c0000d50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Leave) = 4800000000000000651ad9f0a3c0d601640e00008c0e0000fb03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Leave) = 4800000000000000a87892efa3c0d601640e00004c0e0000eb03000000000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 48000000000000008636e9f6a3c0d6014c0500002c090000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 48000000000000003cddcce3a3c0d601e00200002c0c0000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 48000000000000005c9129efa3c0d601640e0000f80800000200000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000a87892efa3c0d601640e00004c0e00000300000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Leave) = 4800000000000000f9c6a0efa3c0d601640e00008c0e0000f003000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Leave) = 4800000000000000c54926f0a3c0d601640e0000ac050000ff03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 4800000000000000bc0a88f0a3c0d601640e0000400000000500000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 48000000000000007fa1d1e3a3c0d601e00200002c0c0000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Enter) = 4800000000000000f8a7dfeea3c0d601640e00008c0e00000204000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Enter) = 4800000000000000a87892efa3c0d601640e00008c0e0000ed03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_RELEASE (Enter) = 4800000000000000c54926f0a3c0d601640e00008c0e0000ff0300000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Leave) = 48000000000000006cd32ff0a3c0d601e00200002c0c0000d00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 48000000000000008636e9f6a3c0d6014c0500002c090000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Leave) = 48000000000000006f9f99efa3c0d601640e0000e4080000eb03000000000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Enter) = 48000000000000006f9f99efa3c0d601640e00008c0c0000fc03000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Enter) = 4800000000000000643713f0a3c0d601640e0000ac050000fe03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000001000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Enter) = 48000000000000008cb3e4e3a3c0d601e0020000600f0000e803000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Enter) = 4800000000000000b4dbebe3a3c0d601640e0000c40b0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Leave) = 48000000000000002ebf95eea3c0d601640e0000c40b00000104000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Enter) = 4800000000000000f9c6a0efa3c0d601640e00008c0e0000ef03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Leave) = 4800000000000000156fc5eea3c0d601e002000004050000e903000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Enter) = 48000000000000006cd32ff0a3c0d601640e00004c0e0000f203000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\PREPAREBACKUP (Enter) = 48000000000000002ebf95eea3c0d601e002000004050000e903000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000097489feea3c0d601640e00001c0b00000100000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000af562eefa3c0d601640e00000c0900000200000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Leave) = 4800000000000000f9c6a0efa3c0d601640e00008c0e0000ee03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTCOMMIT (Enter) = 4800000000000000c54926f0a3c0d601640e00008c0e00000504000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW_KTM (Enter) = 4800000000000000c3ac28f0a3c0d601640e00008c0e0000f403000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Enter) = 48000000000000009e1e7cf0a3c0d601640e00000c090000f503000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 48000000000000008636e9f6a3c0d6014c0500002c090000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Enter) = 48000000000000007e839aeea3c0d601640e00001c0b0000e903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPAREBACKUP (Leave) = 480000000000000097489feea3c0d601640e00001c0b0000e903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Leave) = 4800000000000000085ad1eea3c0d601640e00001c0b0000f903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\FREEZE (Enter) = 48000000000000006f9f99efa3c0d601640e0000e4080000eb03000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 48000000000000006f9f99efa3c0d601640e0000e40800000300000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000b7afeaefa3c0d601640e00003c060000fc03000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000006cd32ff0a3c0d601640e0000400000000400000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PREFINALCOMMIT (Leave) = 4800000000000000eebc79f0a3c0d601640e00008c0e00000604000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\POSTSNAPSHOT (Enter) = 4800000000000000eebc79f0a3c0d601640e00008c0e0000f503000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Enter) = 4800000000000000a87892efa3c0d601640e000028080000fc03000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Enter) = 48000000000000006cd32ff0a3c0d601640e000040000000f203000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Enter) = 48000000000000007b1bbaf0a3c0d601640e00008c0e00000704000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000000000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_STABLE (SetCurrentState) = 480000000000000097489feea3c0d601640e0000900c00000100000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_ENDPREPARE (Leave) = 4800000000000000c45a0fefa3c0d601640e00008c0e00000204000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Enter) = 480000000000000035431befa3c0d601640e00000c090000ea03000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Enter) = 4800000000000000b4dbebe3a3c0d601640e00009c090000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Enter) = 480000000000000035431befa3c0d601640e000040000000ea03000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPARESNAPSHOT (Leave) = 4800000000000000af562eefa3c0d601640e000040000000ea03000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_BACK (Leave) = 4800000000000000d7da94efa3c0d601640e00008c0e0000ed03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\POSTSNAPSHOT (Leave) = 48000000000000009e1e7cf0a3c0d601640e00000c090000f503000000000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Leave) = 4800000000000000bc0a88f0a3c0d601640e000040000000f503000000000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_BEGINPREPARE (Enter) = 48000000000000002ebf95eea3c0d601640e0000c40b00000104000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Leave) = 4800000000000000a1bcd3eea3c0d601640e0000c40b0000f903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\THAW (Leave) = 48000000000000006cd32ff0a3c0d601640e000040000000f203000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_POSTFINALCOMMIT (Leave) = 4800000000000000af90cff0a3c0d601640e00008c0e00000704000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000000000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Enter) = 48000000000000007e839aeea3c0d601640e0000c40b0000e903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Enter) = 4800000000000000085ad1eea3c0d601640e0000c40b0000f903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\FREEZE (Enter) = 4800000000000000a87892efa3c0d601640e00004c0e0000eb03000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\PREPARESNAPSHOT (Enter) = 480000000000000060ba11efa3c0d601640e00008c0e0000ea03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Leave) = 4800000000000000643713f0a3c0d601640e0000ac050000fd03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\THAW (Leave) = 48000000000000006cd32ff0a3c0d601640e00004c0e0000f203000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000006cd32ff0a3c0d601640e000028080000fc03000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Leave) = 48000000000000007cff14eea3c0d601e00200002c0c0000d30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\GETSTATE (Leave) = 4800000000000000085ad1eea3c0d601640e0000c40b0000f903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\GETSTATE (Enter) = 4800000000000000085ad1eea3c0d601640e00001c0b0000f903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE (Enter) = 4800000000000000278c86efa3c0d601640e00008c0e0000eb03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_KTM (Enter) = 4800000000000000f9c6a0efa3c0d601640e00008c0e0000f003000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Leave) = 4800000000000000b7afeaefa3c0d601640e000040000000eb03000000000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Enter) = 4800000000000000c54926f0a3c0d601640e0000480700000404000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000002d3fcfe3a3c0d601e00200002c0c0000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Leave) = 48000000000000004d4f01e4a3c0d601640e0000900c0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\IDENTIFY (Leave) = 480000000000000056da1be9a3c0d601e0020000600f0000e803000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\GETSTATE (Enter) = 4800000000000000a1bcd3eea3c0d601640e0000c40b0000f903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Leave) = 4800000000000000c3ac28f0a3c0d601e00200005c0700000a04000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\VSS_WS_WAITING_FOR_FREEZE (SetCurrentState) = 4800000000000000af562eefa3c0d601640e0000400000000200000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000006cd32ff0a3c0d601640e00008c0c0000fc03000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\THAW (Enter) = 48000000000000006cd32ff0a3c0d601640e00000c090000f203000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppCreate (Enter) = 48000000000000007fa1d1e3a3c0d601e00200002c0c0000d00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\IDENTIFY (Leave) = 48000000000000007d8bfce3a3c0d601640e00009c090000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Leave) = 4800000000000000d7c157eea3c0d601e00200002c0c0000d40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000c54926f0a3c0d601640e00008c0e0000fe03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 480000000000000014cccaf0a3c0d6014c0500002c090000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Enter) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000001000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_) vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_SYSTEM (Enter) = 4800000000000000d7da94efa3c0d601640e00008c0e0000ee03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_THAW (SetCurrentState) = 4800000000000000b7afeaefa3c0d601640e0000400000000300000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\BACKUPSHUTDOWN (Enter) = 480000000000000081f3d1f0a3c0d601640e00008c0e0000fb03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Enter) = 480000000000000064d1c7eea3c0d601e0020000a8080000f903000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Enter) = 4800000000000000b7afeaefa3c0d601640e00008c0e00000304000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_COMMIT (Leave) = 4800000000000000c54926f0a3c0d601640e0000480700000404000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGatherWriterMetadata (Enter) = 4800000000000000dcc7d8e3a3c0d601e00200002c0c0000d30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer\IDENTIFY (Leave) = 48000000000000004d4f01e4a3c0d601640e0000c40b0000e80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Leave) = 480000000000000097489feea3c0d601640e0000900c0000e903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\GETSTATE (Leave) = 4800000000000000a1bcd3eea3c0d601e0020000a8080000f903000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPARESNAPSHOT (Leave) = 4800000000000000af562eefa3c0d601640e00000c090000ea03000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\OPEN_VOLUME_HANDLE (Enter) = 4800000000000000b7afeaefa3c0d601640e0000ac050000fd03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_FLUSH_AND_HOLD (Leave) = 4800000000000000c54926f0a3c0d601640e0000ac050000fe03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\THAW (Enter) = 4800000000000000c3ac28f0a3c0d601640e00008c0e0000f203000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\BACKUPSHUTDOWN (Leave) = 4800000000000000651ad9f0a3c0d601640e00000c090000fb03000000000000050000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\PREPAREBACKUP (Enter) = 48000000000000007e839aeea3c0d601640e0000900c0000e903000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Enter) = 4800000000000000278c86efa3c0d601640e00008c0e0000ec03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}\PROVIDER_PRECOMMIT (Leave) = 4800000000000000b7afeaefa3c0d601640e00008c0e00000304000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000006cd32ff0a3c0d601640e00000c0900000400000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\IDENTIFY (Enter) = 4800000000000000b4dbebe3a3c0d601640e00001c0b0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppAddInterestingComponents (Enter) = 48000000000000007cff14eea3c0d601e00200002c0c0000d40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher\DOSNAPSHOT (Enter) = 4800000000000000f8a7dfeea3c0d601e00200002c0c00000a04000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_FRONT (Leave) = 4800000000000000a87892efa3c0d601640e00008c0e0000ec03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\FREEZE (Enter) = 4800000000000000f9c6a0efa3c0d601640e000040000000eb03000001000000020000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState) = 48000000000000006cd32ff0a3c0d601640e00004c0e00000400000001000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState) = 48000000000000009e1e7cf0a3c0d601640e00000c0900000500000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Leave) = 4800000000000000046ac8f0a3c0d6014c0500002c090000d20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP msiexec.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 480000000000000071a736e3a3c0d601e00200002c0c0000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 msiexec.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\IDENTIFY (Enter) = 4800000000000000b4dbebe3a3c0d601640e0000900c0000e80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\PREPAREBACKUP (Leave) = 480000000000000097489feea3c0d601640e0000c40b0000e903000000000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\BKGND_FREEZE_THREAD (Leave) = 48000000000000006cd32ff0a3c0d601640e00003c060000fc03000000000000030000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer\POSTSNAPSHOT (Leave) = 48000000000000009e1e7cf0a3c0d601640e00000c090000f503000000000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Enter) = 48000000000000008636e9f6a3c0d6014c0500002c090000d10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer\PREPARESNAPSHOT (Enter) = 480000000000000059e118efa3c0d601640e0000f8080000ea03000001000000010000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssvcPublisher\FREEZE_RM (Leave) = 4800000000000000b7afeaefa3c0d601640e00008c0e0000ef03000000000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Lovelace(__?_Volume{0e932f02-0000-0000-0000-500600000000}_)\IOCTL_RELEASE (Enter) = 4800000000000000c54926f0a3c0d601640e0000ac050000ff03000001000000000000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer\POSTSNAPSHOT (Enter) = 4800000000000000eebc79f0a3c0d601640e000040000000f503000001000000040000000000000091891ab788b11340a32499475aa5fe6100000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppGetSnapshots (Enter) = 4800000000000000a05ab5f0a3c0d6014c0500002c090000d20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP\SppEnumGroups (Leave) = 480000000000000014cccaf0a3c0d6014c0500002c090000d10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 srtasks.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\prockill64.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\prockill32.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\pcdef.exe msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\uninstall.bat msiexec.exe File created C:\Program Files (x86)\Def Group\PC Defender\proccheck.exe msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f754537.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe msiexec.exe File created C:\Windows\Installer\f75453a.msi msiexec.exe File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_FC03FB89D84E75F2C05EA5.exe msiexec.exe File created C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe msiexec.exe File opened for modification C:\Windows\Installer\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\_368235FAFDAA3CD0178CB7.exe msiexec.exe File created C:\Windows\Installer\f754537.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{456A3B12-8FE6-41AE-9E5C-5E55F0712C09} msiexec.exe File opened for modification C:\Windows\Installer\MSI473B.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 96 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe -
Modifies data under HKEY_USERS 38 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" rundelay.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" rundelay.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ rundelay.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" rundelay.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" rundelay.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\delrstrui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WQQIDKQHHAUHSZGWFYANE.bat" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 80 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290\DefaultFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\ProductName = "PC Defender" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Version = "33554432" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\PackageName = "[email protected]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9E6DD28BF81ED654F84A0E1B229F9D5B\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Language = "1033" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\DeploymentFlags = "3" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\PackageCode = "793E8A3EDC915D546911442ABED08716" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AuthorizedLUAApp = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\PackageCode = "793E8A3EDC915D546911442ABED08716" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\InstanceType = "0" reg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Clients = 3a0000000000 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\PackageName = "[email protected]" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\ProductName = "PC Defender" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media\1 = ";" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Net reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Assignment = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList\Media reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\SourceList reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\AdvertiseFlags = "388" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_\Version = "33554432" reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 736 msiexec.exe 736 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 85 IoCs
description pid Process Token: SeShutdownPrivilege 3584 msiexec.exe Token: SeIncreaseQuotaPrivilege 3584 msiexec.exe Token: SeSecurityPrivilege 736 msiexec.exe Token: SeCreateTokenPrivilege 3584 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3584 msiexec.exe Token: SeLockMemoryPrivilege 3584 msiexec.exe Token: SeIncreaseQuotaPrivilege 3584 msiexec.exe Token: SeMachineAccountPrivilege 3584 msiexec.exe Token: SeTcbPrivilege 3584 msiexec.exe Token: SeSecurityPrivilege 3584 msiexec.exe Token: SeTakeOwnershipPrivilege 3584 msiexec.exe Token: SeLoadDriverPrivilege 3584 msiexec.exe Token: SeSystemProfilePrivilege 3584 msiexec.exe Token: SeSystemtimePrivilege 3584 msiexec.exe Token: SeProfSingleProcessPrivilege 3584 msiexec.exe Token: SeIncBasePriorityPrivilege 3584 msiexec.exe Token: SeCreatePagefilePrivilege 3584 msiexec.exe Token: SeCreatePermanentPrivilege 3584 msiexec.exe Token: SeBackupPrivilege 3584 msiexec.exe Token: SeRestorePrivilege 3584 msiexec.exe Token: SeShutdownPrivilege 3584 msiexec.exe Token: SeDebugPrivilege 3584 msiexec.exe Token: SeAuditPrivilege 3584 msiexec.exe Token: SeSystemEnvironmentPrivilege 3584 msiexec.exe Token: SeChangeNotifyPrivilege 3584 msiexec.exe Token: SeRemoteShutdownPrivilege 3584 msiexec.exe Token: SeUndockPrivilege 3584 msiexec.exe Token: SeSyncAgentPrivilege 3584 msiexec.exe Token: SeEnableDelegationPrivilege 3584 msiexec.exe Token: SeManageVolumePrivilege 3584 msiexec.exe Token: SeImpersonatePrivilege 3584 msiexec.exe Token: SeCreateGlobalPrivilege 3584 msiexec.exe Token: SeBackupPrivilege 3684 vssvc.exe Token: SeRestorePrivilege 3684 vssvc.exe Token: SeAuditPrivilege 3684 vssvc.exe Token: SeBackupPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeRestorePrivilege 736 msiexec.exe Token: SeTakeOwnershipPrivilege 736 msiexec.exe Token: SeBackupPrivilege 1356 srtasks.exe Token: SeRestorePrivilege 1356 srtasks.exe Token: SeSecurityPrivilege 1356 srtasks.exe Token: SeTakeOwnershipPrivilege 1356 srtasks.exe Token: SeBackupPrivilege 1356 srtasks.exe Token: SeRestorePrivilege 1356 srtasks.exe Token: SeSecurityPrivilege 1356 srtasks.exe Token: SeTakeOwnershipPrivilege 1356 srtasks.exe Token: SeShutdownPrivilege 904 shutdown.exe Token: SeRemoteShutdownPrivilege 904 shutdown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3584 msiexec.exe 3584 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 428 LogonUI.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 736 wrote to memory of 1356 736 msiexec.exe 83 PID 736 wrote to memory of 1356 736 msiexec.exe 83 PID 736 wrote to memory of 3928 736 msiexec.exe 85 PID 736 wrote to memory of 3928 736 msiexec.exe 85 PID 736 wrote to memory of 3928 736 msiexec.exe 85 PID 3928 wrote to memory of 1584 3928 MsiExec.exe 88 PID 3928 wrote to memory of 1584 3928 MsiExec.exe 88 PID 3928 wrote to memory of 1584 3928 MsiExec.exe 88 PID 3928 wrote to memory of 2332 3928 MsiExec.exe 90 PID 3928 wrote to memory of 2332 3928 MsiExec.exe 90 PID 3928 wrote to memory of 2332 3928 MsiExec.exe 90 PID 3928 wrote to memory of 3808 3928 MsiExec.exe 92 PID 3928 wrote to memory of 3808 3928 MsiExec.exe 92 PID 3928 wrote to memory of 3808 3928 MsiExec.exe 92 PID 3928 wrote to memory of 3876 3928 MsiExec.exe 94 PID 3928 wrote to memory of 3876 3928 MsiExec.exe 94 PID 3928 wrote to memory of 3876 3928 MsiExec.exe 94 PID 3928 wrote to memory of 2800 3928 MsiExec.exe 96 PID 3928 wrote to memory of 2800 3928 MsiExec.exe 96 PID 3928 wrote to memory of 2800 3928 MsiExec.exe 96 PID 3928 wrote to memory of 3936 3928 MsiExec.exe 98 PID 3928 wrote to memory of 3936 3928 MsiExec.exe 98 PID 3928 wrote to memory of 3936 3928 MsiExec.exe 98 PID 3936 wrote to memory of 3960 3936 rundelay.exe 100 PID 3936 wrote to memory of 3960 3936 rundelay.exe 100 PID 3936 wrote to memory of 3960 3936 rundelay.exe 100 PID 3960 wrote to memory of 1924 3960 rundelay.exe 103 PID 3960 wrote to memory of 1924 3960 rundelay.exe 103 PID 3960 wrote to memory of 1924 3960 rundelay.exe 103 PID 1924 wrote to memory of 904 1924 cmd.exe 104 PID 1924 wrote to memory of 904 1924 cmd.exe 104 PID 1924 wrote to memory of 904 1924 cmd.exe 104
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3584
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Modifies service
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Modifies service
PID:1356
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 958F453F5CD7BB22FCB417A0B4F21B93 E Global\MSI00002⤵
- Modifies WinLogon for persistence
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵
- Modifies registry class
PID:1584
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵
- Modifies registry class
PID:2332
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" COPY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290_ /s /f3⤵
- Modifies registry class
PID:3808
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\21B3A6546EF8EA14E9C5E5550F17C290 /f3⤵
- Modifies registry class
PID:3876
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe" /C "DEL /F /Q C:\Windows\Prefetch\pcdef*"3⤵PID:2800
-
-
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe"C:\Program Files (x86)\Def Group\PC Defender\rundelay.exe" "shutdown -r -t 0" 14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 05⤵
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 06⤵PID:904
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:640
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad7855 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:428