General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

Cyberghost Latest Version [Cracked] (1).rar

Verdict
Malicious activity
Analysis date
11/8/2018, 10:15:51
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v5
MD5

8c49252fb9fd5ef3f4644d7a4c96d605

SHA1

5758f16f35bd2b6608ced7f3f3f46f3734248cb0

SHA256

6d469a023ae548c7b80beac3bfcb2e1b7e45d5dbf4c9c943ac02dff2b9f8e31f

SSDEEP

393216:zzZZ/HTs8FYJa2QdVwz2XUu17vapO1bHWEcZ/u5S//lkk99QexkcvI8:zznbs8+JB/ziUI7ipO1bH6J/ya5qcA8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • wyUpdate.exe (PID: 1100)
  • nsD06D.tmp (PID: 1880)
  • tapinstall.exe (PID: 2304)
  • nsCF15.tmp (PID: 3120)
  • tapinstall.exe (PID: 3988)
  • CyberGhost.Service.exe (PID: 2620)
  • tap-windows-9.21.2.exe (PID: 2036)
  • CyberGhost.exe (PID: 2560)
  • CyberGhost.Service.exe (PID: 3112)
Loads dropped or rewritten executable
  • tap-windows-9.21.2.exe (PID: 2036)
  • CyberGhost.Service.exe (PID: 3112)
  • CyberGhost.Service.exe (PID: 2620)
  • CyberGhost.exe (PID: 2560)
Actions looks like stealing of personal data
  • CyberGhost.Service.exe (PID: 2620)
  • CyberGhost.exe (PID: 2560)
Removes files from Windows directory
  • DrvInst.exe (PID: 1256)
  • wyUpdate.exe (PID: 1100)
  • DrvInst.exe (PID: 2232)
Creates files in the driver directory
  • DrvInst.exe (PID: 1256)
  • DrvInst.exe (PID: 2232)
Executable content was dropped or overwritten
  • DrvInst.exe (PID: 1256)
  • tapinstall.exe (PID: 2304)
  • DrvInst.exe (PID: 2232)
  • tap-windows-9.21.2.exe (PID: 2036)
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
  • Full CyberGhost_6.0.6.2540_Cracksu.com.exe (PID: 3028)
Searches for installed software
  • DrvInst.exe (PID: 2232)
Creates files in the Windows directory
  • DrvInst.exe (PID: 1256)
  • wyUpdate.exe (PID: 1100)
  • tapinstall.exe (PID: 2304)
  • DrvInst.exe (PID: 2232)
Uses RUNDLL32.EXE to load library
  • DrvInst.exe (PID: 2232)
Creates or modifies windows services
  • DrvInst.exe (PID: 2232)
  • CyberGhost.Service.exe (PID: 2620)
  • CyberGhost.Service.exe (PID: 3112)
Creates files in the program directory
  • CyberGhost.Service.exe (PID: 3112)
  • tap-windows-9.21.2.exe (PID: 2036)
Changes IE settings (feature browser emulation)
  • CyberGhost.exe (PID: 2560)
Starts application with an unusual extension
  • tap-windows-9.21.2.exe (PID: 2036)
Reads Environment values
  • CyberGhost.Service.exe (PID: 2620)
  • CyberGhost.exe (PID: 2560)
Reads the Windows organization settings
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Creates files in the user directory
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Reads Windows owner or organization settings
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3316)
Changes settings of System certificates
  • DrvInst.exe (PID: 2232)
Application was dropped or rewritten from another process
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Dropped object may contain Bitcoin addresses
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Creates a software uninstall entry
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)
Creates or modifies windows services
  • vssvc.exe (PID: 3316)
Creates files in the program directory
  • Full CyberGhost_6.0.6.2540_Cracksu.com.tmp (PID: 3252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v5.0) (61.5%)
.rar
|   RAR compressed archive (gen) (38.4%)

Screenshots

Processes

Total processes
56
Monitored processes
17
Malicious processes
9
Suspicious processes
0

Behavior graph

+
start drop and start drop and start drop and start drop and start winrar.exe no specs full cyberghost_6.0.6.2540_cracksu.com.exe full cyberghost_6.0.6.2540_cracksu.com.tmp cyberghost.exe cyberghost.service.exe no specs cyberghost.service.exe tap-windows-9.21.2.exe nscf15.tmp no specs tapinstall.exe no specs nsd06d.tmp no specs tapinstall.exe drvinst.exe rundll32.exe no specs wyupdate.exe vssvc.exe no specs drvinst.exe no specs drvinst.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3984
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cyberghost Latest Version [Cracked] (1).rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3028
CMD
"C:\Users\admin\Desktop\Cyberghost Latest Version [Cracked]\Setup\Full CyberGhost_6.0.6.2540_Cracksu.com.exe"
Path
C:\Users\admin\Desktop\Cyberghost Latest Version [Cracked]\Setup\Full CyberGhost_6.0.6.2540_Cracksu.com.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
CyberGhost S.R.L.
Description
CyberGhost 6
Version
6.0.4
Modules
Image
c:\users\admin\desktop\cyberghost latest version [cracked]\setup\full cyberghost_6.0.6.2540_cracksu.com.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-r9g5k.tmp\full cyberghost_6.0.6.2540_cracksu.com.tmp

PID
3252
CMD
"C:\Users\admin\AppData\Local\Temp\is-R9G5K.tmp\Full CyberGhost_6.0.6.2540_Cracksu.com.tmp" /SL5="$901DE,15011427,150528,C:\Users\admin\Desktop\Cyberghost Latest Version [Cracked]\Setup\Full CyberGhost_6.0.6.2540_Cracksu.com.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-R9G5K.tmp\Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
Indicators
Parent process
Full CyberGhost_6.0.6.2540_Cracksu.com.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-r9g5k.tmp\full cyberghost_6.0.6.2540_cracksu.com.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imageres.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\cyberghost 6\cyberghost.exe
c:\program files\cyberghost 6\unins000.exe

PID
2560
CMD
"C:\Program Files\CyberGhost 6\CyberGhost.exe" /install
Path
C:\Program Files\CyberGhost 6\CyberGhost.exe
Indicators
Parent process
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
User
admin
Integrity Level
HIGH
Version:
Company
CyberGhost S.R.L.
Description
CyberGhost
Version
6.0.6.2540
Modules
Image
c:\program files\cyberghost 6\cyberghost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\32512bd09e2231f6eebb15fc17e3ad79\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\416ba33cb980d07643e82c4c45bd5786\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\da36abbea6ef456f432434d4d8d835c1\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\6d09f865a22e2f903b74476769e1b76a\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\program files\cyberghost 6\en\cyberghost.resources.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\cyberghost 6\firstfloor.modernui.dll
c:\program files\cyberghost 6\devexpress.xpf.grid.v15.2.dll
c:\program files\cyberghost 6\devexpress.xpf.core.v15.2.dll
c:\program files\cyberghost 6\devexpress.data.v15.2.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\01bed42723486eb478a5b3e2557173db\presentationframework.classic.ni.dll
c:\program files\cyberghost 6\devexpress.xpf.grid.v15.2.core.dll
c:\program files\cyberghost 6\devexpress.printing.v15.2.core.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\program files\cyberghost 6\devexpress.mvvm.v15.2.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\program files\cyberghost 6\bugsplatdotnet.dll
c:\program files\cyberghost 6\mobileconcepts45.dll
c:\program files\cyberghost 6\hardcodet.wpf.taskbarnotification.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsform0b574481#\da612289faed8f139ce9c577e06762f1\windowsformsintegration.ni.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shell32.dll
c:\program files\cyberghost 6\cyberghost.settings.dll
c:\program files\cyberghost 6\cyberghost.vpnservices.dll
c:\program files\cyberghost 6\cyberghost.communication.dll
c:\program files\cyberghost 6\cyberghost.restcommunicator.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\cd7ca8846a122a7e690e11c4611bc902\system.numerics.ni.dll
c:\program files\cyberghost 6\system.windows.interactivity.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\0261f24b2fd53085823ea90b359d71ee\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\dd1e55e4b87101888a94f28ce396f2ea\microsoft.csharp.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.dynamic\788fba784cfc29d8c324d66f6ee4c427\system.dynamic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationprovider\419dd31edfefd1c8923b38e8c9ce3e89\uiautomationprovider.ni.dll
c:\program files\cyberghost 6\wpfanimatedgif.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\cyberghost 6\cyberghost.service.exe
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\cyberghost 6\data\openvpn\tap-windows-9.21.2.exe

PID
3112
CMD
"C:\Program Files\CyberGhost 6\CyberGhost.Service.exe" --install
Path
C:\Program Files\CyberGhost 6\CyberGhost.Service.exe
Indicators
No indicators
Parent process
CyberGhost.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
CyberGhost S.R.L
Description
CyberGhost Service
Version
6.0.6.2540
Modules
Image
c:\program files\cyberghost 6\cyberghost.service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\program files\cyberghost 6\mobileconcepts45.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll

PID
2620
CMD
"C:\Program Files\CyberGhost 6\CyberGhost.Service.exe"
Path
C:\Program Files\CyberGhost 6\CyberGhost.Service.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
CyberGhost S.R.L
Description
CyberGhost Service
Version
6.0.6.2540
Modules
Image
c:\program files\cyberghost 6\cyberghost.service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\program files\cyberghost 6\mobileconcepts45.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\program files\cyberghost 6\cyberghost.vpnservices.dll
c:\program files\cyberghost 6\cyberghost.settings.dll
c:\program files\cyberghost 6\cyberghost.communication.dll
c:\program files\cyberghost 6\bugsplatdotnet.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servicemodel\f101d49ff42f71da4271bfa41dda9bd2\system.servicemodel.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\system32\pcwum.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.identitymodel\9d45d2d6b426b57dc732ff567bb32dad\system.identitymodel.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\program files\cyberghost 6\cyberghost.restcommunicator.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\0261f24b2fd53085823ea90b359d71ee\system.xml.linq.ni.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\httpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.csharp\dd1e55e4b87101888a94f28ce396f2ea\microsoft.csharp.ni.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\program files\cyberghost 6\wyupdate.exe
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

PID
2036
CMD
"C:\Program Files\CyberGhost 6\Data\OpenVPN\tap-windows-9.21.2.exe" /S
Path
C:\Program Files\CyberGhost 6\Data\OpenVPN\tap-windows-9.21.2.exe
Indicators
Parent process
CyberGhost.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\program files\cyberghost 6\data\openvpn\tap-windows-9.21.2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\users\admin\appdata\local\temp\nslcef4.tmp\userinfo.dll
c:\users\admin\appdata\local\temp\nslcef4.tmp\system.dll
c:\users\admin\appdata\local\temp\nslcef4.tmp\nsexec.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\nslcef4.tmp\nscf15.tmp
c:\users\admin\appdata\local\temp\nslcef4.tmp\nsd06d.tmp

PID
3120
CMD
"C:\Users\admin\AppData\Local\Temp\nslCEF4.tmp\nsCF15.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
Path
C:\Users\admin\AppData\Local\Temp\nslCEF4.tmp\nsCF15.tmp
Indicators
No indicators
Parent process
tap-windows-9.21.2.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nslcef4.tmp\nscf15.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\tap-windows\bin\tapinstall.exe

PID
3988
CMD
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901
Path
C:\Program Files\TAP-Windows\bin\tapinstall.exe
Indicators
No indicators
Parent process
nsCF15.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Windows (R) Win 7 DDK provider
Description
Windows Setup API
Version
6.1.7600.16385 built by: WinDDK
Modules
Image
c:\program files\tap-windows\bin\tapinstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wintrust.dll

PID
1880
CMD
"C:\Users\admin\AppData\Local\Temp\nslCEF4.tmp\nsD06D.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
Path
C:\Users\admin\AppData\Local\Temp\nslCEF4.tmp\nsD06D.tmp
Indicators
No indicators
Parent process
tap-windows-9.21.2.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nslcef4.tmp\nsd06d.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\tap-windows\bin\tapinstall.exe

PID
2304
CMD
"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901
Path
C:\Program Files\TAP-Windows\bin\tapinstall.exe
Indicators
Parent process
nsD06D.tmp
User
admin
Integrity Level
HIGH
Version:
Company
Windows (R) Win 7 DDK provider
Description
Windows Setup API
Version
6.1.7600.16385 built by: WinDDK
Modules
Image
c:\program files\tap-windows\bin\tapinstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nci.dll
c:\windows\system32\wlaninst.dll
c:\windows\system32\wwaninst.dll
c:\windows\system32\newdev.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\drvstore.dll

PID
2232
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{547a8cfd-76db-249f-dcfe-2c2858a4c96c}\oemvista.inf" "0" "6d14a44ff" "000005D0" "WinSta0\Default" "000003D0" "208" "c:\program files\tap-windows\driver"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\spinf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
556
CMD
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{0561f7d2-9d83-771a-42a1-0130d5f1db0a} Global\{14bb6aeb-2c96-7be9-0611-9d468aaae145} C:\Windows\System32\DriverStore\Temp\{030a93cc-56b9-45af-4b0e-0927baa3df2b}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{030a93cc-56b9-45af-4b0e-0927baa3df2b}\tap0901.cat
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
DrvInst.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pnpui.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\netutils.dll

PID
1100
CMD
"C:\Program Files\CyberGhost 6\wyUpdate.exe" /justcheck /quickcheck /noerr -server="https://download.cyberghostvpn.com/windows/updates/6/wyserver.wys"
Path
C:\Program Files\CyberGhost 6\wyUpdate.exe
Indicators
Parent process
CyberGhost.Service.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
2
Version:
Company
wyDay
Description
wyUpdate
Version
2.6.18.4
Modules
Image
c:\program files\cyberghost 6\wyupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\riched20.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll

PID
3316
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll

PID
3320
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005F0" "000005EC"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
1256
CMD
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oemvista.inf:tap0901:tap0901.ndi:9.0.0.21:tap0901" "6d14a44ff" "000005D0" "000005F0" "000005B8"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nci.dll
c:\windows\system32\wlaninst.dll
c:\windows\system32\wwaninst.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
1475
Read events
1068
Write events
397
Delete events
10

Modification events

PID
Process
Operation
Key
Name
Value
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\Interfaces
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin\enum
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MAC
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus\enum
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi
1256
DrvInst.exe
delete key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey
1256
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi
Service
tap0901
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\Interfaces
UpperRange
ndis5
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\Interfaces
LowerRange
ethernet
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey
Manufacturer
TAP-Windows Provider V9
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey
ProductName
TAP-Windows Adapter V9
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
ParamDesc
MTU
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Type
int
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Default
1500
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Min
100
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Max
1500
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MTU
Step
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus
ParamDesc
Media Status
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus
Type
enum
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus
Default
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus\enum
0
Application Controlled
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MediaStatus\enum
1
Always Connected
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MAC
ParamDesc
MAC Address
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MAC
Type
edit
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\MAC
Optional
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin
ParamDesc
Non-Admin Access
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin
Type
enum
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin
Default
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin\enum
0
Not Allowed
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NDISTempKey\Ndi\params\AllowNonAdmin\enum
1
Allowed
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
%SystemPath%\system32\DRIVERS\tap0901.sys
5
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
NewDeviceInstall
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
NetCfgInstanceId
{B0113583-667A-49EF-AE1A-161D77771073}
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
*IfType
6
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
Characteristics
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
*MediaType
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
*PhysicalMediaType
14
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B0113583-667A-49EF-AE1A-161D77771073}\Connection
DefaultNameResourceId
1803
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B0113583-667A-49EF-AE1A-161D77771073}\Connection
DefaultNameIndex
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B0113583-667A-49EF-AE1A-161D77771073}\Connection
Name
Local Area Connection
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
NetLuidIndex
9
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
DeviceInstanceID
ROOT\NET\0000
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
InstallTimeStamp
E2070B0004000800090011000C008401
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi
Service
tap0901
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\Interfaces
UpperRange
ndis5
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\Interfaces
LowerRange
ethernet
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
Manufacturer
TAP-Windows Provider V9
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
ProductName
TAP-Windows Adapter V9
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
ParamDesc
MTU
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Type
int
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Default
1500
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Min
100
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Max
1500
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MTU
Step
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus
ParamDesc
Media Status
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus
Type
enum
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus
Default
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus\enum
0
Application Controlled
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MediaStatus\enum
1
Always Connected
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MAC
ParamDesc
MAC Address
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MAC
Type
edit
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\MAC
Optional
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin
ParamDesc
Non-Admin Access
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin
Type
enum
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin
Default
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin
Optional
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin\enum
0
Not Allowed
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011\Ndi\params\AllowNonAdmin\enum
1
Allowed
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
ComponentId
tap0901
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions
TAP-Windows Adapter V9
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\NET\0000\Device Parameters
InstanceIndex
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
AllowNonAdmin
1
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
MediaStatus
0
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
MTU
1500
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
NDIS
170000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000150000001600000017000000
1256
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\NetCfgLockHolder
INetCfg Installer Interface
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
B40C0000D3B7FEBA4377D401
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
CAF73806D0014345B6E16413641108A755E42E1E0A646EACBD9F4A7AE08CD9D5
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Program Files\CyberGhost 6\BsSndRpt.exe
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
E777D0AB8A3553218239A2C64C83E741294012B07FCA9D81468D769CEC5E33F3
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\CyberGhost
ReleaseChannel
Live
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\CyberGhost
Language
en
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_CURRENT_USER\Software\CyberGhost
LoginServer
rest.cyberghostvpn.com
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Inno Setup: Setup Version
5.5.9 (u)
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Inno Setup: App Path
C:\Program Files\CyberGhost 6
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
InstallLocation
C:\Program Files\CyberGhost 6\
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Inno Setup: Icon Group
CyberGhost 6
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Inno Setup: User
admin
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Inno Setup: Language
en
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
DisplayName
CyberGhost 6
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
DisplayIcon
C:\Program Files\CyberGhost 6\CGLogo.ico
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
UninstallString
"C:\Program Files\CyberGhost 6\unins000.exe"
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
QuietUninstallString
"C:\Program Files\CyberGhost 6\unins000.exe" /SILENT
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
Publisher
CyberGhost S.R.L.
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
URLInfoAbout
http://www.cyberghostvpn.com
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
HelpLink
http://www.cyberghostvpn.com
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
URLUpdateInfo
http://www.cyberghostvpn.com
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
NoModify
1
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
NoRepair
1
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
InstallDate
20181108
3252
Full CyberGhost_6.0.6.2540_Cracksu.com.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CyberGhost 6_is1
EstimatedSize
55776
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
CyberGhost.exe
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
CyberGhost.exe
0
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_96DPI_PIXEL
CyberGhost.exe
1
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
CyberGhost.exe
1
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS
CyberGhost.exe
1
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION
CyberGhost.exe
1
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE
CyberGhost.exe
0
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT
CyberGhost.exe
0
2560
CyberGhost.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
CyberGhost.exe
0
3112
CyberGhost.Service.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
AutoBackupLogFiles
0
3112
CyberGhost.Service.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\CG6Service
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
3112
CyberGhost.Service.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3112
CyberGhost.Service.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2620
CyberGhost.Service.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\CyberGhost 6 Service
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
2620
CyberGhost.Service.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2620
CyberGhost.Service.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3984
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Cyberghost Latest Version [Cracked] (1).rar
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000FA0103000000000039000000B40200000000000001000000
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C800000000000000000000000000F201040000000000160000002A0000000000000002000000
3984
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000560105000000000016000000640000000000000003000000
2304
tapinstall.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.app.log
4096
2304
tapinstall.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.dev.log
4096
2304
tapinstall.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2232
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC
Blob
0300000001000000140000005E66E0CA2367757E800E65B770629026E131A7DC040000000100000010000000C759D588BCEB1C8A8C8A4D2C00103BA1190000000100000010000000EA06916833E9ECB6DAC092D5C3482FF11400000001000000140000009AFE50CC7C723E76B49C036A97A88C8135CB66510F00000001000000140000001B4E387DB74A69A0470CB08F598BEB3B511617532000000001000000BA060000308206B63082059EA003020102021004D54DC0A2016B263EEEB255D321056E300D06092A864886F70D0101050500306F310B300906035504061302555331153013060355040A130C446967694365727420496E6331193017060355040B13107777772E64696769636572742E636F6D312E302C060355040313254469676943657274204173737572656420494420436F6465205369676E696E672043412D31301E170D3133303831333030303030305A170D3136303930323132303030305A308181310B3009060355040613025553311330110603550408130A43616C69666F726E6961311330110603550407130A506C656173616E746F6E31233021060355040A131A4F70656E56504E20546563686E6F6C6F676965732C20496E632E312330210603550403131A4F70656E56504E20546563686E6F6C6F676965732C20496E632E30820122300D06092A864886F70D01010105000382010F003082010A0282010100A10462099150B2575BC037614701C292BA96E98270FDB06E1D1F40343E720E259D6F9FDF59BCB9365F8CEA69689AED7A4354591DB75509826AD71AB3F00CB18ED11157EFFC5EB3BF5730B33B5BA76FD73F3FD7F1B2256410223A7F8F5F52B6FB8B31A979CC50F831880FC837C81168E74DD4F57368EF55A1DBE480A815128E0D944D4D70BE02ED65EFE486A020F50DFDFE6D2A0DFAB3FF9885FDB1BC39B79BB0A38183E42D557A60DA66883C3307C208655DA1A43EEB2393EA10B200F55DDFD66DA47EAE911EEBE43113C7AAFDF8E13D2FEF2604EAC2E3739021816B323DC9EF0F8411A1A7921023FF3CD7F1F4D4307F6AD13816D47B93823C9683069315088D0203010001A382033930820335301F0603551D230418301680147B68CE29AAC017BE497AE1E53FD6A7F7458F3532301D0603551D0E041604149AFE50CC7C723E76B49C036A97A88C8135CB6651300E0603551D0F0101FF04040302078030130603551D25040C300A06082B0601050507030330730603551D1F046C306A3033A031A02F862D687474703A2F2F63726C332E64696769636572742E636F6D2F617373757265642D63732D32303131612E63726C3033A031A02F862D687474703A2F2F63726C342E64696769636572742E636F6D2F617373757265642D63732D32303131612E63726C308201C40603551D20048201BB308201B7308201B306096086480186FD6C0301308201A4303A06082B06010505070201162E687474703A2F2F7777772E64696769636572742E636F6D2F73736C2D6370732D7265706F7369746F72792E68746D3082016406082B06010505070202308201561E8201520041006E007900200075007300650020006F00660020007400680069007300200043006500720074006900660069006300610074006500200063006F006E0073007400690074007500740065007300200061006300630065007000740061006E006300650020006F00660020007400680065002000440069006700690043006500720074002000430050002F00430050005300200061006E00640020007400680065002000520065006C00790069006E0067002000500061007200740079002000410067007200650065006D0065006E00740020007700680069006300680020006C0069006D006900740020006C0069006100620069006C00690074007900200061006E0064002000610072006500200069006E0063006F00720070006F00720061007400650064002000680065007200650069006E0020006200790020007200650066006500720065006E00630065002E30818206082B0601050507010104763074302406082B060105050730018618687474703A2F2F6F6373702E64696769636572742E636F6D304C06082B060105050730028640687474703A2F2F636163657274732E64696769636572742E636F6D2F4469676943657274417373757265644944436F64655369676E696E6743412D312E637274300C0603551D130101FF04023000300D06092A864886F70D0101050500038201010035D3E402AB7E93E4C84F74475C2403FBAF99335BEB29AEF76C0CBADF9EED476E26AE26AA5E87BB55E851926D2DB986D674EFD71ABE7ECDC4B57C98D65B862725BD09E466949C3CF68CB40631D734EE948E4A7E5C849EDF9757530A17E85C91E3DBC61E31A5D30B7250E83316C23728CC3FC0C721F61780A9F8542B575131652426BE91885D9756313EFF308755B60CCF6ADE5F7BD7E32690A51C0B470A3BFE9DBEDAD74B535349FF469BAA3E4D741D7DB011501F80AFDC4138A345C36E78710681BE9D5B2BD45620BFADDF8E4EBD58E0820296F5C40C06FC48DB187FF49FCAF489866FDAE7C4D7224E3548BAC384A5E7B59175C8FD6A667FA6EE3838802CE9BE
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
40000000000000000525C3CA4377D401B808000030060000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
40000000000000005F87C5CA4377D401B808000030060000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
400000000000000001E443CB4377D401B808000030060000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000B5A848CB4377D401B80800004C0A0000E8030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
4000000000000000A1369BCC4377D401B80800004C0A0000E8030000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
40000000000000008B415AD24377D401B808000030060000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
40000000000000008B415AD24377D401B808000030060000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000005B546DD24377D401B808000030060000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
40000000000000002B6780D24377D401B8080000680B0000E9030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
400000000000000017C8A1D24377D401B8080000680B0000E9030000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
400000000000000017C8A1D24377D401B8080000340D0000F9030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000E7DAB4D24377D401B8080000340D0000F9030000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
40000000000000009B9FB9D24377D401B8080000300600000A040000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
40000000000000006330CED34377D401B8080000E80A00000A040000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
40000000000000006330CED34377D401B808000030060000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000BD92D0D34377D401B808000030060000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0525C3CA4377D401
2232
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
556
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1100
wyUpdate.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\GDIPlus
FontCachePath
C:\Windows\system32\config\systemprofile\AppData\Local
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
EnableFileTracing
0
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
EnableConsoleTracing
0
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
FileTracingMask
4294901760
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
ConsoleTracingMask
4294901760
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
MaxFileSize
1048576
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASAPI32
FileDirectory
%windir%\tracing
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
EnableFileTracing
0
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
EnableConsoleTracing
0
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
FileTracingMask
4294901760
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
ConsoleTracingMask
4294901760
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
MaxFileSize
1048576
1100
wyUpdate.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wyUpdate_RASMANCS
FileDirectory
%windir%\tracing
1100
wyUpdate.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000ED4465CB4377D401F40C0000C80C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000ED4465CB4377D401F40C0000BC0E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000ED4465CB4377D401F40C0000480D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000ED4465CB4377D401F40C0000F80E0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000099373CB4377D401F40C0000480D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000099373CB4377D401F40C0000BC0E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
400000000000000017BA7ACB4377D401F40C0000C80C0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000CB7E7FCB4377D401F40C0000F80E0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000002B6780D24377D401F40C0000F80E000001040000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000002B6780D24377D401F40C0000F80E000001040000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
400000000000000093F089D24377D401F40C0000C80C0000E9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
400000000000000093F089D24377D401F40C0000F80E0000E9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
400000000000000093F089D24377D401F40C0000BC0E0000E9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000ED528CD24377D401F40C0000C80C0000E9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000ED528CD24377D401F40C0000C80C000001000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
400000000000000047B58ED24377D401F40C0000F80E0000E9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000047B58ED24377D401F40C0000F80E000001000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
400000000000000047B58ED24377D401F40C0000BC0E0000E9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000047B58ED24377D401F40C0000BC0E000001000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000E7DAB4D24377D401F40C0000BC0E0000F9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000E7DAB4D24377D401F40C0000C80C0000F9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000E7DAB4D24377D401F40C0000F80E0000F9030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000E7DAB4D24377D401F40C0000C80C0000F9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000E7DAB4D24377D401F40C0000F80E0000F9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000E7DAB4D24377D401F40C0000BC0E0000F9030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000009B9FB9D24377D401F40C0000340C000002040000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
40000000000000004B233FD34377D401F40C0000340C000002040000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000A58541D34377D401F40C0000340C0000EA030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
400000000000000067714DD34377D401F40C0000DC030000EA030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
400000000000000067714DD34377D401F40C00001C0D0000EA030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
400000000000000067714DD34377D401F40C0000B00E0000EA030000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000378460D34377D401F40C0000DC030000EA030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000378460D34377D401F40C0000DC03000002000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
400000000000000091E662D34377D401F40C00001C0D0000EA030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000091E662D34377D401F40C00001C0D000002000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
400000000000000091E662D34377D401F40C0000B00E0000EA030000000000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000091E662D34377D401F40C0000B00E000002000000010000000100000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
40000000000000003F3390D34377D401F40C0000340C0000EA030000000000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
40000000000000003F3390D34377D401F40C0000340C0000EB030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
40000000000000003F3390D34377D401F40C0000340C0000EC030000010000000000000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000999592D34377D401F40C00008C0C0000EB030000010000000200000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000999592D34377D401F40C00008C0C0000EB030000000000000200000000000000800C777E72E2AA439A077071D55B9B1D0000000000000000
3316
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000999592D34377D401F40C00008C0C00000300000001000000020000000000000