Analysis Overview
SHA256
147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b
Threat Level: Known bad
The file 147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b was found to be: Known bad.
Malicious Activity Summary
Sodinokibi family
Modifies extensions of user files
Modifies Windows Firewall
Enumerates connected drives
Adds Run key to start application
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-30 08:01
Signatures
Sodinokibi family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-30 08:01
Reported
2022-01-30 13:31
Platform
win7-en-20211208
Max time kernel
133s
Max time network
165s
Command Line
Signatures
Modifies Windows Firewall
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\users\admin\pictures\UninstallExit.tiff | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallExit.tiff => \??\c:\users\admin\pictures\UninstallExit.tiff.6miuub | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File opened for modification | \??\c:\users\admin\pictures\ExpandExport.tiff | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ExpandExport.tiff => \??\c:\users\admin\pictures\ExpandExport.tiff.6miuub | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SendUndo.raw => \??\c:\users\admin\pictures\SendUndo.raw.6miuub | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowConvertFrom.crw => \??\c:\users\admin\pictures\ShowConvertFrom.crw.6miuub | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestConfirm.raw => \??\c:\users\admin\pictures\TestConfirm.raw.6miuub | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kVGpXgdK25 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe" | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1gzp95bs01jyq.bmp" | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1772 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1772 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1772 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1772 wrote to memory of 1136 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe
"C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ungsvenskarna.se | udp |
| US | 76.76.21.142:443 | ungsvenskarna.se | tcp |
| US | 76.76.21.142:443 | ungsvenskarna.se | tcp |
| US | 8.8.8.8:53 | simulatebrain.com | udp |
| US | 8.8.8.8:53 | meusharklinithome.wordpress.com | udp |
| US | 192.0.78.12:443 | meusharklinithome.wordpress.com | tcp |
| US | 192.0.78.12:443 | meusharklinithome.wordpress.com | tcp |
| US | 8.8.8.8:53 | mediaacademy-iraq.org | udp |
| DE | 144.76.225.204:443 | mediaacademy-iraq.org | tcp |
| DE | 144.76.225.204:443 | mediaacademy-iraq.org | tcp |
| US | 8.8.8.8:53 | noskierrenteria.com | udp |
| DE | 81.169.181.88:443 | noskierrenteria.com | tcp |
| US | 8.8.8.8:53 | izzi360.com | udp |
| FR | 109.234.162.102:443 | izzi360.com | tcp |
| FR | 109.234.162.102:443 | izzi360.com | tcp |
| US | 8.8.8.8:53 | ravensnesthomegoods.com | udp |
| US | 8.8.8.8:53 | adoptioperheet.fi | udp |
| FI | 95.217.160.242:443 | adoptioperheet.fi | tcp |
| FI | 95.217.160.242:443 | adoptioperheet.fi | tcp |
| US | 8.8.8.8:53 | conexa4papers.trade | udp |
| HK | 47.75.130.171:443 | conexa4papers.trade | tcp |
| US | 8.8.8.8:53 | jerling.de | udp |
| US | 172.67.162.148:443 | jerling.de | tcp |
| US | 8.8.8.8:53 | greenpark.ch | udp |
| CH | 149.126.6.52:443 | greenpark.ch | tcp |
| CH | 149.126.6.52:443 | greenpark.ch | tcp |
| US | 8.8.8.8:53 | irishmachineryauctions.com | udp |
| NL | 35.214.182.106:443 | irishmachineryauctions.com | tcp |
| NL | 35.214.182.106:443 | irishmachineryauctions.com | tcp |
| US | 8.8.8.8:53 | easytrans.com.au | udp |
| US | 8.8.8.8:53 | lillegrandpalais.com | udp |
| FR | 91.121.62.37:443 | lillegrandpalais.com | tcp |
| US | 8.8.8.8:53 | cuppacap.com | udp |
| PL | 51.68.138.187:443 | cuppacap.com | tcp |
| US | 8.8.8.8:53 | roygolden.com | udp |
| US | 50.16.12.56:443 | roygolden.com | tcp |
| US | 8.8.8.8:53 | vihannesporssi.fi | udp |
| FI | 80.83.6.130:443 | vihannesporssi.fi | tcp |
| FI | 80.83.6.130:443 | vihannesporssi.fi | tcp |
| US | 8.8.8.8:53 | ausbeverage.com.au | udp |
| US | 172.67.68.211:443 | ausbeverage.com.au | tcp |
| US | 8.8.8.8:53 | kadesignandbuild.co.uk | udp |
| US | 188.114.96.0:443 | kadesignandbuild.co.uk | tcp |
| US | 8.8.8.8:53 | bowengroup.com.au | udp |
| US | 192.124.249.160:443 | bowengroup.com.au | tcp |
| US | 192.124.249.160:443 | bowengroup.com.au | tcp |
| US | 8.8.8.8:53 | marietteaernoudts.nl | udp |
| NL | 141.138.169.211:443 | marietteaernoudts.nl | tcp |
| NL | 141.138.169.211:443 | marietteaernoudts.nl | tcp |
| US | 8.8.8.8:53 | hoteledenpadova.it | udp |
| DE | 185.114.108.107:443 | hoteledenpadova.it | tcp |
| DE | 185.114.108.107:443 | hoteledenpadova.it | tcp |
| US | 8.8.8.8:53 | baumkuchenexpo.jp | udp |
| JP | 153.122.20.80:443 | baumkuchenexpo.jp | tcp |
| JP | 153.122.20.80:443 | baumkuchenexpo.jp | tcp |
| US | 8.8.8.8:53 | body-guards.it | udp |
| IT | 151.11.50.69:443 | body-guards.it | tcp |
| IT | 151.11.50.69:443 | body-guards.it | tcp |
| US | 8.8.8.8:53 | malychanieruchomoscipremium.com | udp |
| PL | 185.242.134.73:443 | malychanieruchomoscipremium.com | tcp |
| PL | 185.242.134.73:443 | malychanieruchomoscipremium.com | tcp |
| US | 8.8.8.8:53 | nurturingwisdom.com | udp |
| US | 35.209.107.7:443 | nurturingwisdom.com | tcp |
| US | 35.209.107.7:443 | nurturingwisdom.com | tcp |
| US | 8.8.8.8:53 | heliomotion.com | udp |
| US | 172.67.128.214:443 | heliomotion.com | tcp |
| US | 172.67.128.214:443 | heliomotion.com | tcp |
| US | 8.8.8.8:53 | spargel-kochen.de | udp |
| DE | 87.238.193.48:443 | spargel-kochen.de | tcp |
| US | 8.8.8.8:53 | ilcdover.com | udp |
| US | 141.193.213.21:443 | ilcdover.com | tcp |
| US | 141.193.213.21:443 | ilcdover.com | tcp |
| US | 8.8.8.8:53 | kojima-shihou.com | udp |
| JP | 157.7.44.182:443 | kojima-shihou.com | tcp |
| JP | 157.7.44.182:443 | kojima-shihou.com | tcp |
| US | 8.8.8.8:53 | esope-formation.fr | udp |
| FR | 54.36.95.221:443 | esope-formation.fr | tcp |
| US | 8.8.8.8:53 | cortec-neuro.com | udp |
| DE | 217.160.0.189:443 | cortec-neuro.com | tcp |
| DE | 217.160.0.189:443 | cortec-neuro.com | tcp |
| US | 8.8.8.8:53 | rebeccarisher.com | udp |
| US | 104.156.253.187:443 | rebeccarisher.com | tcp |
| US | 8.8.8.8:53 | importardechina.info | udp |
| HK | 47.75.130.171:443 | importardechina.info | tcp |
Files
memory/1772-55-0x00000000762C1000-0x00000000762C3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-30 08:01
Reported
2022-01-30 13:31
Platform
win10-en-20211208
Max time kernel
173s
Max time network
182s
Command Line
Signatures
Modifies Windows Firewall
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\LimitRequest.tif => \??\c:\users\admin\pictures\LimitRequest.tif.c7h8j641 | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RequestRedo.raw => \??\c:\users\admin\pictures\RequestRedo.raw.c7h8j641 | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockUnregister.crw => \??\c:\users\admin\pictures\UnlockUnregister.crw.c7h8j641 | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kVGpXgdK25 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe" | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\2483382631\828754195.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\97717462.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\2878165772\1123312451.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\1301087654\4010849688.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\1476457207\3533431084.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\3623239459\11870838.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\423379043\3468251582.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\81479705\3092222186.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\4272278488\30062976.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\3418783148\3128450559.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\1974107395\4149693858.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\4185669309\1202008662.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\1361672858.pri | C:\Windows\SysWOW64\netsh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4028 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4028 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4028 wrote to memory of 4620 | N/A | C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe
"C:\Users\Admin\AppData\Local\Temp\147b098aabc3a9744c64dc48ea8ddff09a524112b5c4ec87815b2b964ca8c78b.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe