General Info

File name

easytether.exe

Full analysis
https://app.any.run/tasks/3c809d57-b7f7-42b1-9ea8-0a629b47fe1d
Verdict
Malicious activity
Analysis date
5/15/2019, 09:21:04
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

148891321baacf74d256d8020b7a78e5

SHA1

06b1aca2036cee473b71801957e2713f35e595a4

SHA256

8d9c740b013685e29d8f61e79d97790f5c7cddd9dd2ef4c53f0fe76d310e58bf

SSDEEP

98304:GfUbaFTldrQrV3sNPGlxuqcBNC3Wg2aDcezBSK778Srn9vtsh5BdYOZl+ZtmOdNe:GfU+FlOtKCWCms7778Srn9vtshH/ZkZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • easytthr.exe (PID: 3880)
  • easytether-bundle.exe (PID: 3004)
  • easytether.exe (PID: 3084)
  • easytthr.exe (PID: 3412)
  • easytether-bundle.exe (PID: 2072)
  • easytether.exe (PID: 2640)
Changes the autorun value in the registry
  • easytether-bundle.exe (PID: 3004)
  • easytether-bundle.exe (PID: 2072)
Loads dropped or rewritten executable
  • easytether.exe (PID: 3084)
  • easytether.exe (PID: 2640)
Executable content was dropped or overwritten
  • DrvInst.exe (PID: 2224)
  • MsiExec.exe (PID: 1100)
  • MsiExec.exe (PID: 2300)
  • DrvInst.exe (PID: 2068)
  • easytether.exe (PID: 3084)
  • easytether.exe (PID: 3984)
  • MsiExec.exe (PID: 1388)
  • DrvInst.exe (PID: 1340)
  • MsiExec.exe (PID: 3760)
  • msiexec.exe (PID: 2608)
  • easytether-bundle.exe (PID: 2072)
  • easytether.exe (PID: 3908)
  • easytether.exe (PID: 2640)
Searches for installed software
  • DrvInst.exe (PID: 2224)
  • easytether-bundle.exe (PID: 3004)
  • DrvInst.exe (PID: 2068)
  • DrvInst.exe (PID: 1340)
  • easytether-bundle.exe (PID: 2072)
Uses RUNDLL32.EXE to load library
  • DrvInst.exe (PID: 2224)
  • DrvInst.exe (PID: 2068)
  • DrvInst.exe (PID: 1340)
Creates files in the driver directory
  • DrvInst.exe (PID: 2224)
  • DrvInst.exe (PID: 2068)
  • MsiExec.exe (PID: 3760)
  • DrvInst.exe (PID: 1340)
Creates files in the Windows directory
  • DrvInst.exe (PID: 2224)
  • MsiExec.exe (PID: 2300)
  • DrvInst.exe (PID: 2068)
  • MsiExec.exe (PID: 3760)
  • DrvInst.exe (PID: 1340)
Removes files from Windows directory
  • DrvInst.exe (PID: 2224)
  • MsiExec.exe (PID: 2300)
  • DrvInst.exe (PID: 2068)
  • MsiExec.exe (PID: 3760)
  • DrvInst.exe (PID: 1340)
Starts itself from another location
  • easytether.exe (PID: 3084)
  • easytether.exe (PID: 2640)
Creates a software uninstall entry
  • easytether-bundle.exe (PID: 3004)
  • easytether-bundle.exe (PID: 2072)
Changes the autorun value in the registry
  • msiexec.exe (PID: 2608)
Creates files in the program directory
  • easytether-bundle.exe (PID: 2072)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 1100)
  • msiexec.exe (PID: 2608)
  • MsiExec.exe (PID: 3168)
  • MsiExec.exe (PID: 3208)
  • MsiExec.exe (PID: 2300)
  • MsiExec.exe (PID: 1388)
  • MsiExec.exe (PID: 3108)
  • MsiExec.exe (PID: 3760)
  • MsiExec.exe (PID: 3072)
Creates a software uninstall entry
  • msiexec.exe (PID: 2608)
Creates or modifies windows services
  • MsiExec.exe (PID: 3760)
Application launched itself
  • msiexec.exe (PID: 2608)
Creates files in the program directory
  • msiexec.exe (PID: 2608)
Adds / modifies Windows certificates
  • DrvInst.exe (PID: 3020)
Changes settings of System certificates
  • DrvInst.exe (PID: 3020)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 1740)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2017:11:18 23:00:38+01:00
PEType:
PE32
LinkerVersion:
14.11
CodeSize:
301568
InitializedDataSize:
159232
UninitializedDataSize:
null
EntryPoint:
0x2e2a6
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
FileVersionNumber:
1.3.4.0
ProductVersionNumber:
1.3.4.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
CompanyName:
Mobile Stream
FileDescription:
EasyTether
FileVersion:
1.3.4
InternalName:
setup
LegalCopyright:
Copyright (c) Mobile Stream. All rights reserved.
OriginalFileName:
easytether-bundle.exe
ProductName:
EasyTether
ProductVersion:
1.3.4
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
18-Nov-2017 22:00:38
Detected languages
English - United States
Debug artifacts
C:\agent\_work\8\s\build\ship\x86\burn.pdb
CompanyName:
Mobile Stream
FileDescription:
EasyTether
FileVersion:
1.3.4
InternalName:
setup
LegalCopyright:
Copyright (c) Mobile Stream. All rights reserved.
OriginalFilename:
easytether-bundle.exe
ProductName:
EasyTether
ProductVersion:
1.3.4
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
18-Nov-2017 22:00:38
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00049937 0x00049A00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.57001
.rdata 0x0004B000 0x0001ED60 0x0001EE00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.11423
.data 0x0006A000 0x00001730 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.15266
.wixburn8 0x0006C000 0x00000038 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.731255
.rsrc 0x0006D000 0x000035FC 0x00003600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.15101
.reloc 0x00071000 0x00003DFC 0x00003E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.79434
Resources
1

Imports
    ADVAPI32.dll

    USER32.dll

    OLEAUT32.dll

    GDI32.dll

    SHELL32.dll

    ole32.dll

    KERNEL32.dll

    RPCRT4.dll

    Cabinet.dll (delay-loaded)

Exports

    No exports.

Screenshots

Processes

Total processes
73
Monitored processes
29
Malicious processes
10
Suspicious processes
2

Behavior graph

+
drop and start start drop and start drop and start drop and start drop and start drop and start easytether.exe easytether.exe easytether-bundle.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs easytthr.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs easytether.exe easytether.exe easytether-bundle.exe drvinst.exe no specs easytthr.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3908
CMD
"C:\Users\admin\Desktop\easytether.exe"
Path
C:\Users\admin\Desktop\easytether.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\desktop\easytether.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\{93807057-b9db-431c-adfd-82874cc9751c}\.cr\easytether.exe

PID
2640
CMD
"C:\Users\admin\AppData\Local\Temp\{93807057-B9DB-431C-ADFD-82874CC9751C}\.cr\easytether.exe" -burn.clean.room="C:\Users\admin\Desktop\easytether.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156
Path
C:\Users\admin\AppData\Local\Temp\{93807057-B9DB-431C-ADFD-82874CC9751C}\.cr\easytether.exe
Indicators
Parent process
easytether.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\appdata\local\temp\{93807057-b9db-431c-adfd-82874cc9751c}\.cr\easytether.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\feclient.dll
c:\users\admin\appdata\local\temp\{4060503e-0d33-4733-9cb7-ee300d8a3a2c}\.ba\wixstdba.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll

PID
2072
CMD
"C:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.be\easytether-bundle.exe" -q -burn.elevated BurnPipe.{6C01A58D-C4A5-4B75-A683-1FB38F0FCED7} {F934A517-D4C5-4CEA-AA53-304BB812648C} 2640
Path
C:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.be\easytether-bundle.exe
Indicators
Parent process
easytether.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\appdata\local\temp\{4060503e-0d33-4733-9cb7-ee300d8a3a2c}\.be\easytether-bundle.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll

PID
1740
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3020
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000574" "00000304"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
2608
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msisip.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\propsys.dll
c:\program files\mobile stream\easytether\easytthr.exe
c:\program files\mobile stream\easytether\ndis51\easytthr.sys
c:\program files\mobile stream\easytether\adb\wdfcoinstaller01009.dll
c:\program files\mobile stream\easytether\adb\winusbcoinstaller2.dll

PID
3072
CMD
C:\Windows\system32\MsiExec.exe -Embedding CFFCB1DBE0DCD93C42761B5EDB2E34D9
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi6599.tmp
c:\windows\installer\msicb0e.tmp

PID
3760
CMD
C:\Windows\system32\MsiExec.exe -Embedding 74B26317BB5C27C918E12433C2711285 M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi67fc.tmp
c:\windows\system32\wintrust.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\mprmsg.dll
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\nci.dll
c:\windows\system32\wlaninst.dll
c:\windows\system32\wwaninst.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshnetbs.dll

PID
1340
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{7c10f8c2-e933-184b-7781-a5651c438621}\easytthr.inf" "0" "63cc35f7b" "00000574" "WinSta0\Default" "000004D8" "208" "C:\Windows\system32\DRVSTORE\easytthr_77932899B7A0A3A1A551BD93D66DAE7B655D4D4D"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\spinf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
2660
CMD
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3007b528-e7f3-6a71-0181-b47e6cbe2509} Global\{2a4b6381-00ac-06b3-5d1d-eb24ce34e038} C:\Windows\System32\DriverStore\Temp\{38617568-b83f-5068-72d2-8f1ccc9a9d68}\easytthr.inf C:\Windows\System32\DriverStore\Temp\{38617568-b83f-5068-72d2-8f1ccc9a9d68}\easytthr.cat
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
DrvInst.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pnpui.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\netutils.dll

PID
1260
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "00000000" "000005C8" "000005EC"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3412
CMD
"C:\Program Files\Mobile Stream\EasyTether\easytthr.exe" /s
Path
C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Mobile Stream
Description
EasyTether Tray
Version
1.3.4.0
Modules
Image
c:\program files\mobile stream\easytether\easytthr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\wintrust.dll

PID
3108
CMD
C:\Windows\system32\MsiExec.exe -Embedding 52A4A0D38186E905C18EBC58DE54C0C9
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msie7fe.tmp
c:\windows\installer\msi43ce.tmp

PID
1388
CMD
C:\Windows\system32\MsiExec.exe -Embedding 04142203DF272AB6763851AD29F89F9F M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msiea52.tmp
c:\windows\system32\wintrust.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cabinet.dll

PID
2068
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3d9422c4-e907-1484-afa3-a2379a1e1406}\adb.inf" "0" "6e04f4ae3" "000005EC" "WinSta0\Default" "000003DC" "208" "C:\Program Files\Mobile Stream\EasyTether\adb"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\apphelp.dll
c:\windows\system32\spinf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
416
CMD
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{6778839f-7705-3c4c-3d70-4246a1a9b811} Global\{74869a3d-bb6d-3b73-571c-ac216927894e} C:\Windows\System32\DriverStore\Temp\{484d8bd9-2301-0a12-b089-b94a1c592749}\adb.inf
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
DrvInst.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pnpui.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\duser.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\netutils.dll

PID
2976
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "00000000" "000005D4" "000005E4"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3984
CMD
"C:\Users\admin\Desktop\easytether.exe"
Path
C:\Users\admin\Desktop\easytether.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\desktop\easytether.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\{d3c7ae5d-7459-4b68-b14f-c13baf848eda}\.cr\easytether.exe

PID
3084
CMD
"C:\Users\admin\AppData\Local\Temp\{D3C7AE5D-7459-4B68-B14F-C13BAF848EDA}\.cr\easytether.exe" -burn.clean.room="C:\Users\admin\Desktop\easytether.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156
Path
C:\Users\admin\AppData\Local\Temp\{D3C7AE5D-7459-4B68-B14F-C13BAF848EDA}\.cr\easytether.exe
Indicators
Parent process
easytether.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\appdata\local\temp\{d3c7ae5d-7459-4b68-b14f-c13baf848eda}\.cr\easytether.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\feclient.dll
c:\users\admin\appdata\local\temp\{ec089ce6-51f5-4b47-ba42-4a5922e4d18e}\.ba\wixstdba.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll

PID
3004
CMD
"C:\Users\admin\AppData\Local\Temp\{EC089CE6-51F5-4B47-BA42-4A5922E4D18E}\.be\easytether-bundle.exe" -q -burn.elevated BurnPipe.{73F31EC3-07C6-43A4-B1A0-72278AF22561} {024171E2-524F-4067-A662-38C96DE2E283} 3084
Path
C:\Users\admin\AppData\Local\Temp\{EC089CE6-51F5-4B47-BA42-4A5922E4D18E}\.be\easytether-bundle.exe
Indicators
Parent process
easytether.exe
User
admin
Integrity Level
HIGH
Version:
Company
Mobile Stream
Description
EasyTether
Version
1.3.4
Modules
Image
c:\users\admin\appdata\local\temp\{ec089ce6-51f5-4b47-ba42-4a5922e4d18e}\.be\easytether-bundle.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\feclient.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\profapi.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wuapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\wups.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll

PID
3184
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "00000000" "000005E4" "000004A8"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3880
CMD
"C:\Program Files\Mobile Stream\EasyTether\easytthr.exe" /q
Path
C:\Program Files\Mobile Stream\EasyTether\easytthr.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Mobile Stream
Description
EasyTether Tray
Version
1.3.4.0
Modules
Image
c:\program files\mobile stream\easytether\easytthr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

PID
3208
CMD
C:\Windows\system32\MsiExec.exe -Embedding 0EDF20910FB9B5BAA731D449856303B7
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi39f7.tmp
c:\windows\installer\msi4229.tmp

PID
2300
CMD
C:\Windows\system32\MsiExec.exe -Embedding BBF5E93101450FE2D04FA3DCDCF322BA M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi3bed.tmp
c:\windows\system32\wintrust.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\netcfgx.dll
c:\windows\system32\slc.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\drivers\pacer.sys
c:\windows\system32\tcpipcfg.dll
c:\windows\system32\lltdres.dll
c:\windows\system32\rascfg.dll
c:\windows\system32\sstpsvc.dll
c:\windows\system32\ndiscapcfg.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\mprmsg.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\dhcpcsvc6.dll

PID
3168
CMD
C:\Windows\system32\MsiExec.exe -Embedding B6B1DCF1E9C87115AA99D09E24A896F7
Path
C:\Windows\system32\MsiExec.exe
Indicators
No indicators
Parent process
msiexec.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi596c.tmp
c:\windows\installer\msibd4b.tmp

PID
1100
CMD
C:\Windows\system32\MsiExec.exe -Embedding B7616D76488C8608FBC00AD92B277A7D M Global\MSI0000
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi5ad6.tmp
c:\windows\system32\wintrust.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\newdev.dll

PID
2224
CMD
DrvInst.exe "4" "20" "C:\Users\admin\AppData\Local\Temp\{2de74021-2608-3834-c9c4-0569aae8bf66}\adb.inf" "0" "6e04f4ae3" "000004A8" "WinSta0\Default" "000003EC" "208" "C:\Program Files\Mobile Stream\EasyTether\adb"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\spinf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
1004
CMD
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{0e1bda3e-3e02-7c1e-be7f-461638a63430} Global\{416328e1-fa22-2c2a-a066-0465a304da3c} C:\Windows\System32\DriverStore\Temp\{020aa766-3a97-5b40-04b4-ee78fe2b4a7d}\adb.inf
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
DrvInst.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\pnpui.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\duser.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\netutils.dll

PID
2132
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000005D4" "000005E0"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\fveui.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

Registry activity

Total events
3251
Read events
1831
Write events
1355
Delete events
65

Modification events

PID
Process
Operation
Key
Name
Value
2640
easytether.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2640
easytether.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
40000000000000000E890CD2EE0AD50118080000EC030000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
40000000000000000E890CD2EE0AD50118080000EC030000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000B0E58AD2EE0AD50118080000EC030000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
40000000000000000A488DD2EE0AD50118080000C8050000E8030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
4000000000000000AEDB63D3EE0AD50118080000C8050000E8030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
40000000000000008210ECD8EE0AD50118080000EC030000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
40000000000000008210ECD8EE0AD50118080000EC030000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
4000000000000000F8C0FCD8EE0AD50118080000EC030000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
40000000000000006E710DD9EE0AD50118080000FC080000E9030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
4000000000000000F24825D9EE0AD50118080000FC080000E9030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000F24825D9EE0AD50118080000A8080000F9030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
400000000000000000702CD9EE0AD50118080000A8080000F9030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000B43431D9EE0AD50118080000EC0300000A040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000741616DAEE0AD50118080000240800000A040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
4000000000000000741616DAEE0AD50118080000EC030000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
4000000000000000741616DAEE0AD50118080000EC030000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
0000000000000000
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleCachePath
C:\ProgramData\Package Cache\{11e8bc09-c842-4244-bf90-2bea82be07c5}\easytether-bundle.exe
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleUpgradeCode
{169C6FDB-D7E9-423E-A687-DC736DE4DA6D}
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleAddonCode
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleDetectCode
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundlePatchCode
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleVersion
1.3.4.0
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
VersionMajor
1
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
VersionMinor
3
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleProviderKey
{11e8bc09-c842-4244-bf90-2bea82be07c5}
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleTag
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
EngineVersion
3.11.1.2318
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
DisplayIcon
C:\ProgramData\Package Cache\{11e8bc09-c842-4244-bf90-2bea82be07c5}\easytether-bundle.exe,0
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
DisplayName
EasyTether
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
DisplayVersion
1.3.4
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
Publisher
Mobile Stream
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
HelpLink
http://www.mobile-stream.com/easytether/support
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
URLUpdateInfo
http://www.mobile-stream.com/easytether/drivers
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
NoModify
1
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
QuietUninstallString
"C:\ProgramData\Package Cache\{11e8bc09-c842-4244-bf90-2bea82be07c5}\easytether-bundle.exe" /uninstall /quiet
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
UninstallString
"C:\ProgramData\Package Cache\{11e8bc09-c842-4244-bf90-2bea82be07c5}\easytether-bundle.exe" /uninstall
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
EstimatedSize
8665
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{11e8bc09-c842-4244-bf90-2bea82be07c5}
{11e8bc09-c842-4244-bf90-2bea82be07c5}
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{11e8bc09-c842-4244-bf90-2bea82be07c5}
Version
1.3.4.0
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{11e8bc09-c842-4244-bf90-2bea82be07c5}
DisplayName
EasyTether
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
Resume
1
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{11e8bc09-c842-4244-bf90-2bea82be07c5}
"C:\ProgramData\Package Cache\{11e8bc09-c842-4244-bf90-2bea82be07c5}\easytether-bundle.exe" /burn.runonce
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
BundleResumeCommandLine
/burn.log.append "C:\Users\admin\AppData\Local\Temp\EasyTether_20190515082127.log"
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{89FB3DAB-CA56-4174-9137-9AF239D429A5}
{89FB3DAB-CA56-4174-9137-9AF239D429A5}
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{89FB3DAB-CA56-4174-9137-9AF239D429A5}
Version
1.3.4
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{89FB3DAB-CA56-4174-9137-9AF239D429A5}
DisplayName
EasyTether
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
57
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{FA4291C7-406A-4B45-8BDE-483CD7BF5C19}
{FA4291C7-406A-4B45-8BDE-483CD7BF5C19}
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{FA4291C7-406A-4B45-8BDE-483CD7BF5C19}
Version
1.3.4
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Dependencies\{FA4291C7-406A-4B45-8BDE-483CD7BF5C19}
DisplayName
EasyTether ADB USB driver
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
Resume
3
2072
easytether-bundle.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11e8bc09-c842-4244-bf90-2bea82be07c5}
Installed
1
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
400000000000000072D196D2EE0AD501CC0600006C060000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
400000000000000072D196D2EE0AD501CC06000044040000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
400000000000000072D196D2EE0AD501CC06000010080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
400000000000000072D196D2EE0AD501CC06000038050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000080F89DD2EE0AD501CC0600006C060000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
400000000000000080F89DD2EE0AD501CC06000044040000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
400000000000000034BDA2D2EE0AD501CC06000038050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000008E1FA5D2EE0AD501CC06000010080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000006E710DD9EE0AD501CC0600001008000001040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
40000000000000006E710DD9EE0AD501CC0600001008000001040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000223612D9EE0AD501CC06000010080000E9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000223612D9EE0AD501CC06000038050000E9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000223612D9EE0AD501CC06000044040000E9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000D6FA16D9EE0AD501CC06000010080000E9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D6FA16D9EE0AD501CC0600001008000001000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000D6FA16D9EE0AD501CC06000044040000E9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D6FA16D9EE0AD501CC0600004404000001000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000D6FA16D9EE0AD501CC06000038050000E9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D6FA16D9EE0AD501CC0600003805000001000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000A60D2AD9EE0AD501CC06000010080000F9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000A60D2AD9EE0AD501CC06000044040000F9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000A60D2AD9EE0AD501CC06000038050000F9030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000A60D2AD9EE0AD501CC06000038050000F9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000A60D2AD9EE0AD501CC06000010080000F9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000A60D2AD9EE0AD501CC06000044040000F9030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000B43431D9EE0AD501CC060000FC0A000002040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
40000000000000003A43A1D9EE0AD501CC060000FC0A000002040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
400000000000000094A5A3D9EE0AD501CC060000FC0A0000EA030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000FC2EADD9EE0AD501CC06000034090000EA030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
40000000000000005691AFD9EE0AD501CC060000EC080000EA030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
40000000000000005691AFD9EE0AD501CC060000E4080000EA030000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
400000000000000034CBC9D9EE0AD501CC060000E4080000EA030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000034CBC9D9EE0AD501CC060000E408000002000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000008E2DCCD9EE0AD501CC06000034090000EA030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008E2DCCD9EE0AD501CC0600003409000002000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
40000000000000008E2DCCD9EE0AD501CC060000EC080000EA030000000000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008E2DCCD9EE0AD501CC060000EC08000002000000010000000100000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000202CEBD9EE0AD501CC060000FC0A0000EA030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000202CEBD9EE0AD501CC060000FC0A0000EB030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000202CEBD9EE0AD501CC060000FC0A0000EC030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000007A8EEDD9EE0AD501CC060000A40A0000EB030000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000007A8EEDD9EE0AD501CC060000A40A0000EB030000000000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000007A8EEDD9EE0AD501CC060000A40A000003000000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000007A8EEDD9EE0AD501CC060000140A0000FC030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000D4F0EFD9EE0AD501CC060000FC0A0000EC030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000D4F0EFD9EE0AD501CC060000FC0A0000ED030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
40000000000000002E53F2D9EE0AD501CC060000FC0A0000ED030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
40000000000000002E53F2D9EE0AD501CC060000FC0A0000EE030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000E217F7D9EE0AD501CC060000A40A0000EB030000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000E217F7D9EE0AD501CC060000A40A0000EB030000000000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000E217F7D9EE0AD501CC060000A40A000003000000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000E217F7D9EE0AD501CC060000E00B0000FC030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000003C7AF9D9EE0AD501CC060000FC0A0000EE030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000003C7AF9D9EE0AD501CC060000FC0A0000F0030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000003C7AF9D9EE0AD501CC060000FC0A0000F0030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000003C7AF9D9EE0AD501CC060000FC0A0000EF030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
400000000000000096DCFBD9EE0AD501CC060000E4080000EB030000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000A40303DAEE0AD501CC060000E4080000EB030000000000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000A40303DAEE0AD501CC060000E408000003000000010000000200000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000A40303DAEE0AD501CC060000C80C0000FC030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000A40303DAEE0AD501CC060000FC0A0000EF030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000A40303DAEE0AD501CC060000FC0A0000EB030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000A40303DAEE0AD501CC060000FC0A000003040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000A40303DAEE0AD501CC060000FC0A000003040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000A40303DAEE0AD501CC060000FC0A0000FD030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000A40303DAEE0AD501CC060000340D0000FD030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000000C8D0CDAEE0AD501CC060000340D0000FD030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000000C8D0CDAEE0AD501CC060000FC0A0000FD030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000000C8D0CDAEE0AD501CC060000340D0000FE030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000001AB413DAEE0AD501CC060000340D0000FE030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
40000000000000001AB413DAEE0AD501CC060000340D0000FF030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
40000000000000001AB413DAEE0AD501CC060000340D0000FF030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000000C8D0CDAEE0AD501CC060000FC0A0000FE030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
40000000000000001AB413DAEE0AD501CC060000FC0A0000FE030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
40000000000000001AB413DAEE0AD501CC060000FC0A0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
40000000000000001AB413DAEE0AD501CC060000FC0A0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
40000000000000001AB413DAEE0AD501CC060000280D000004040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
40000000000000001AB413DAEE0AD501CC060000280D000004040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
40000000000000001AB413DAEE0AD501CC060000FC0A000005040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000741616DAEE0AD501CC060000FC0A000005040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000741616DAEE0AD501CC060000FC0A0000F4030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000741616DAEE0AD501CC060000FC0A0000F4030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000741616DAEE0AD501CC060000FC0A0000F2030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
400000000000000028DB1ADAEE0AD501CC06000000090000F2030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
400000000000000028DB1ADAEE0AD501CC060000A40A0000F2030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
400000000000000028DB1ADAEE0AD501CC060000F0080000F2030000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000028DB1ADAEE0AD501CC060000E00B0000FC030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000028DB1ADAEE0AD501CC060000C80C0000FC030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000028DB1ADAEE0AD501CC060000140A0000FC030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
400000000000000028DB1ADAEE0AD501CC060000A40A0000F2030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000028DB1ADAEE0AD501CC060000A40A000004000000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
400000000000000028DB1ADAEE0AD501CC060000F0080000F2030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
400000000000000028DB1ADAEE0AD501CC06000000090000F2030000000000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000028DB1ADAEE0AD501CC060000F008000004000000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000028DB1ADAEE0AD501CC0600000009000004000000010000000300000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000823D1DDAEE0AD501CC060000FC0A0000F2030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000823D1DDAEE0AD501CC060000FC0A000006040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
40000000000000008AEC4CDAEE0AD501CC060000FC0A000006040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
40000000000000008AEC4CDAEE0AD501CC060000FC0A0000F5030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
40000000000000005AFF5FDAEE0AD501CC060000EC080000F5030000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
40000000000000005AFF5FDAEE0AD501CC060000A40A0000F5030000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
40000000000000005AFF5FDAEE0AD501CC060000F0080000F5030000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000B46162DAEE0AD501CC060000A40A0000F5030000000000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000B46162DAEE0AD501CC060000A40A000005000000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000B46162DAEE0AD501CC060000EC080000F5030000000000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000B46162DAEE0AD501CC060000EC08000005000000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000C6F619DBEE0AD501CC060000F0080000F5030000000000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000C6F619DBEE0AD501CC060000F008000005000000010000000400000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000C6F619DBEE0AD501CC060000FC0A0000F5030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000C6F619DBEE0AD501CC060000FC0A000007040000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000B2573BDBEE0AD501CC060000FC0A000007040000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000DCCC50DBEE0AD501CC060000FC0A0000FB030000010000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
4000000000000000909155DBEE0AD501CC060000EC080000FB030000010000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
4000000000000000909155DBEE0AD501CC06000000090000FB030000010000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
4000000000000000909155DBEE0AD501CC060000E4080000FB030000010000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
4000000000000000909155DBEE0AD501CC060000EC080000FB030000000000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
4000000000000000909155DBEE0AD501CC060000E4080000FB030000000000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
4000000000000000909155DBEE0AD501CC06000000090000FB030000000000000500000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000EAF357DBEE0AD501CC060000FC0A0000FB030000000000000000000000000000DDA49130FFD9EB44BFAE51569C6D54C80000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000004A82F6DFEE0AD501CC06000044040000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000004A82F6DFEE0AD501CC06000010080000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000004A82F6DFEE0AD501CC0600006C060000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000A4E4F8DFEE0AD501CC06000038050000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
400000000000000058A9FDDFEE0AD501CC06000038050000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000B20B00E0EE0AD501CC06000010080000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000000C6E02E0EE0AD501CC06000044040000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000001A9509E0EE0AD501CC0600006C060000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
400000000000000062707BE6EE0AD501CC0600006C06000001040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
400000000000000062707BE6EE0AD501CC0600006C06000001040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000CAF984E6EE0AD501CC0600006C060000E9030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000CAF984E6EE0AD501CC06000010080000E9030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000CAF984E6EE0AD501CC06000044040000E9030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000245C87E6EE0AD501CC0600006C060000E9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000245C87E6EE0AD501CC0600006C06000001000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000245C87E6EE0AD501CC06000044040000E9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000245C87E6EE0AD501CC0600004404000001000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000245C87E6EE0AD501CC06000010080000E9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000245C87E6EE0AD501CC0600001008000001000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
40000000000000004ED19CE6EE0AD501CC06000010080000F9030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
40000000000000004ED19CE6EE0AD501CC0600006C060000F9030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
40000000000000004ED19CE6EE0AD501CC0600006C060000F9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
40000000000000004ED19CE6EE0AD501CC06000044040000F9030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
40000000000000004ED19CE6EE0AD501CC06000010080000F9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000004ED19CE6EE0AD501CC06000044040000F9030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000000296A1E6EE0AD501CC060000740D000002040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
40000000000000004A901DE7EE0AD501CC060000740D000002040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000A4F21FE7EE0AD501CC060000740D0000EA030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
400000000000000066DE2BE7EE0AD501CC060000F0080000EA030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
400000000000000066DE2BE7EE0AD501CC060000E4080000EA030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
400000000000000066DE2BE7EE0AD501CC06000000090000EA030000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000905341E7EE0AD501CC060000F0080000EA030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000905341E7EE0AD501CC060000F008000002000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000EAB543E7EE0AD501CC060000E4080000EA030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000EAB543E7EE0AD501CC060000E408000002000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000441846E7EE0AD501CC06000000090000EA030000000000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000441846E7EE0AD501CC0600000009000002000000010000000100000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
40000000000000003EA06EE7EE0AD501CC060000740D0000EA030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
40000000000000003EA06EE7EE0AD501CC060000740D0000EB030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
40000000000000003EA06EE7EE0AD501CC060000740D0000EC030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000980271E7EE0AD501CC06000000090000EB030000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000980271E7EE0AD501CC06000000090000EB030000000000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000980271E7EE0AD501CC0600000009000003000000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000980271E7EE0AD501CC060000CC0C0000FC030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000F26473E7EE0AD501CC060000740D0000EC030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000F26473E7EE0AD501CC060000740D0000ED030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000A62978E7EE0AD501CC060000740D0000ED030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000A62978E7EE0AD501CC060000740D0000EE030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000008C7AE7EE0AD501CC06000000090000EB030000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000008C7AE7EE0AD501CC06000000090000EB030000000000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000008C7AE7EE0AD501CC0600000009000003000000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000008C7AE7EE0AD501CC060000FC050000FC030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000005AEE7CE7EE0AD501CC060000740D0000EE030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
40000000000000005AEE7CE7EE0AD501CC060000740D0000F0030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
40000000000000005AEE7CE7EE0AD501CC060000740D0000F0030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
40000000000000005AEE7CE7EE0AD501CC060000740D0000EF030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000B4507FE7EE0AD501CC06000000090000EB030000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000C27786E7EE0AD501CC06000000090000EB030000000000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000C27786E7EE0AD501CC0600000009000003000000010000000200000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000C27786E7EE0AD501CC060000A40B0000FC030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000C27786E7EE0AD501CC060000740D0000EF030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000C27786E7EE0AD501CC060000740D0000EB030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000C27786E7EE0AD501CC060000740D000003040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000C27786E7EE0AD501CC060000740D000003040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000C27786E7EE0AD501CC060000740D0000FD030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000C27786E7EE0AD501CC060000F00B0000FD030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
4000000000000000D09E8DE7EE0AD501CC060000F00B0000FD030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
4000000000000000D09E8DE7EE0AD501CC060000740D0000FD030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000D09E8DE7EE0AD501CC060000F00B0000FE030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000DEC594E7EE0AD501CC060000F00B0000FE030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
4000000000000000DEC594E7EE0AD501CC060000F00B0000FF030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
4000000000000000DEC594E7EE0AD501CC060000F00B0000FF030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
4000000000000000D09E8DE7EE0AD501CC060000740D0000FE030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000DEC594E7EE0AD501CC060000740D0000FE030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
4000000000000000DEC594E7EE0AD501CC060000740D0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
4000000000000000DEC594E7EE0AD501CC060000740D0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
4000000000000000DEC594E7EE0AD501CC0600001C0C000004040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
4000000000000000DEC594E7EE0AD501CC0600001C0C000004040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
4000000000000000DEC594E7EE0AD501CC060000740D000005040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000382897E7EE0AD501CC060000740D000005040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000382897E7EE0AD501CC060000740D0000F4030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000382897E7EE0AD501CC060000740D0000F4030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000382897E7EE0AD501CC060000740D0000F2030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000083BAAE7EE0AD501CC060000F0080000F2030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000083BAAE7EE0AD501CC060000CC0C0000FC030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000083BAAE7EE0AD501CC060000A40A0000F2030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000083BAAE7EE0AD501CC060000A40B0000FC030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000083BAAE7EE0AD501CC060000F0080000F2030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000083BAAE7EE0AD501CC060000F008000004000000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000083BAAE7EE0AD501CC060000A40A0000F2030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000083BAAE7EE0AD501CC060000A40A000004000000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000083BAAE7EE0AD501CC060000EC080000F2030000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000083BAAE7EE0AD501CC060000FC050000FC030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000083BAAE7EE0AD501CC060000EC080000F2030000000000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000083BAAE7EE0AD501CC060000EC08000004000000010000000300000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
4000000000000000083BAAE7EE0AD501CC060000740D0000F2030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
4000000000000000083BAAE7EE0AD501CC060000740D000006040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
40000000000000005C25D5E7EE0AD501CC060000740D000006040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
40000000000000005C25D5E7EE0AD501CC060000740D0000F5030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
4000000000000000869AEAE7EE0AD501CC060000A40A0000F5030000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
4000000000000000869AEAE7EE0AD501CC060000F0080000F5030000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
4000000000000000869AEAE7EE0AD501CC060000E4080000F5030000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
4000000000000000869AEAE7EE0AD501CC060000E4080000F5030000000000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000869AEAE7EE0AD501CC060000E408000005000000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
4000000000000000869AEAE7EE0AD501CC060000F0080000F5030000000000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000869AEAE7EE0AD501CC060000F008000005000000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
40000000000000008A089BE8EE0AD501CC060000A40A0000F5030000000000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000008A089BE8EE0AD501CC060000A40A000005000000010000000400000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000008A089BE8EE0AD501CC060000740D0000F5030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000008A089BE8EE0AD501CC060000740D000007040000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
4000000000000000C2A4B7E8EE0AD501CC060000740D000007040000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
40000000000000000868DBE8EE0AD501CC060000740D0000FB030000010000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
4000000000000000CA53E7E8EE0AD501CC060000F0080000FB030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
4000000000000000CA53E7E8EE0AD501CC06000000090000FB030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
4000000000000000CA53E7E8EE0AD501CC060000F0080000FB030000000000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
4000000000000000CA53E7E8EE0AD501CC06000000090000FB030000000000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
4000000000000000CA53E7E8EE0AD501CC060000EC080000FB030000010000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
4000000000000000CA53E7E8EE0AD501CC060000EC080000FB030000000000000500000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000CA53E7E8EE0AD501CC060000740D0000FB030000000000000000000000000000F7B8907BADD27F4EAA28A199760CFA550000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
4000000000000000B43F9CF4EE0AD501CC06000010080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
4000000000000000B43F9CF4EE0AD501CC06000038050000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
4000000000000000B43F9CF4EE0AD501CC06000044040000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
4000000000000000B43F9CF4EE0AD501CC0600006C060000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000C266A3F4EE0AD501CC0600006C060000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000C266A3F4EE0AD501CC06000044040000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000762BA8F4EE0AD501CC06000010080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000008452AFF4EE0AD501CC06000038050000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000485609FBEE0AD501CC06000010080000010400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000A2B80BFBEE0AD501CC06000010080000010400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000567D10FBEE0AD501CC06000044040000E90300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000567D10FBEE0AD501CC06000010080000E90300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000567D10FBEE0AD501CC06000038050000E90300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
40000000000000000A4215FBEE0AD501CC06000010080000E90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A4215FBEE0AD501CC06000010080000010000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
40000000000000000A4215FBEE0AD501CC06000038050000E90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A4215FBEE0AD501CC06000038050000010000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
40000000000000000A4215FBEE0AD501CC06000044040000E90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
40000000000000000A4215FBEE0AD501CC06000044040000010000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000DA5428FBEE0AD501CC06000044040000F90300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000DA5428FBEE0AD501CC06000010080000F90300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000DA5428FBEE0AD501CC06000038050000F90300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000DA5428FBEE0AD501CC06000038050000F90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000DA5428FBEE0AD501CC06000010080000F90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000DA5428FBEE0AD501CC06000044040000F90300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000E87B2FFBEE0AD501CC060000940B0000020400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
400000000000000098FFB4FBEE0AD501CC060000940B0000020400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000F261B7FBEE0AD501CC060000940B0000EA0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000B44DC3FBEE0AD501CC06000000090000EA0300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000B44DC3FBEE0AD501CC060000E4080000EA0300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
40000000000000000EB0C5FBEE0AD501CC060000EC080000EA0300000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
4000000000000000464CE2FBEE0AD501CC06000000090000EA0300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000464CE2FBEE0AD501CC06000000090000020000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
40000000000000005473E9FBEE0AD501CC060000E4080000EA0300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000005473E9FBEE0AD501CC060000E4080000020000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000AED5EBFBEE0AD501CC060000EC080000EA0300000000000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000AED5EBFBEE0AD501CC060000EC080000020000000100000001000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
400000000000000040D40AFCEE0AD501CC060000940B0000EA0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
400000000000000040D40AFCEE0AD501CC060000940B0000EB0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
400000000000000040D40AFCEE0AD501CC060000940B0000EC0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
4000000000000000A85D14FCEE0AD501CC060000EC080000EB0300000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
4000000000000000A85D14FCEE0AD501CC060000EC080000EB0300000000000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000A85D14FCEE0AD501CC060000EC080000030000000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000A85D14FCEE0AD501CC06000044080000FC0300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
400000000000000002C016FCEE0AD501CC060000940B0000EC0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
400000000000000002C016FCEE0AD501CC060000940B0000ED0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
400000000000000010E71DFCEE0AD501CC060000940B0000ED0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
400000000000000010E71DFCEE0AD501CC060000940B0000EE0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
40000000000000001E0E25FCEE0AD501CC060000F0080000EB0300000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000787027FCEE0AD501CC060000F0080000EB0300000000000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000787027FCEE0AD501CC060000F0080000030000000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000787027FCEE0AD501CC060000900B0000FC0300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000D2D229FCEE0AD501CC060000940B0000EE0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000D2D229FCEE0AD501CC060000940B0000F00300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000D2D229FCEE0AD501CC060000940B0000F00300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000D2D229FCEE0AD501CC060000940B0000EF0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
40000000000000003A5C33FCEE0AD501CC060000F0080000EB0300000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000EE2038FCEE0AD501CC060000F0080000EB0300000000000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000EE2038FCEE0AD501CC060000F0080000030000000100000002000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000EE2038FCEE0AD501CC060000B4050000FC0300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000EE2038FCEE0AD501CC060000940B0000EF0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000EE2038FCEE0AD501CC060000940B0000EB0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000EE2038FCEE0AD501CC060000940B0000030400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000EE2038FCEE0AD501CC060000940B0000030400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000EE2038FCEE0AD501CC060000940B0000FD0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000EE2038FCEE0AD501CC06000058080000FD0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
400000000000000056AA41FCEE0AD501CC06000058080000FD0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
400000000000000056AA41FCEE0AD501CC060000940B0000FD0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
400000000000000056AA41FCEE0AD501CC06000058080000FE0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000064D148FCEE0AD501CC06000058080000FE0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
400000000000000064D148FCEE0AD501CC06000058080000FF0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
400000000000000064D148FCEE0AD501CC06000058080000FF0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
400000000000000056AA41FCEE0AD501CC060000940B0000FE0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000064D148FCEE0AD501CC060000940B0000FE0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
400000000000000064D148FCEE0AD501CC060000940B0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
400000000000000064D148FCEE0AD501CC060000940B0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
400000000000000064D148FCEE0AD501CC060000340C0000040400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
400000000000000064D148FCEE0AD501CC060000340C0000040400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
400000000000000064D148FCEE0AD501CC060000940B0000050400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000BE334BFCEE0AD501CC060000940B0000050400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000BE334BFCEE0AD501CC060000940B0000F40300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000BE334BFCEE0AD501CC060000940B0000F40300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000BE334BFCEE0AD501CC060000940B0000F20300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
400000000000000034E45BFCEE0AD501CC060000E4080000F20300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000034E45BFCEE0AD501CC060000B4050000FC0300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
400000000000000034E45BFCEE0AD501CC060000E4080000F20300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000034E45BFCEE0AD501CC060000E4080000040000000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
400000000000000034E45BFCEE0AD501CC06000034090000F20300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000034E45BFCEE0AD501CC06000044080000FC0300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
400000000000000034E45BFCEE0AD501CC06000000090000F20300000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000034E45BFCEE0AD501CC060000900B0000FC0300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
400000000000000034E45BFCEE0AD501CC06000034090000F20300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
400000000000000034E45BFCEE0AD501CC06000000090000F20300000000000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000034E45BFCEE0AD501CC06000034090000040000000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
400000000000000034E45BFCEE0AD501CC06000000090000040000000100000003000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
400000000000000034E45BFCEE0AD501CC060000940B0000F20300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
400000000000000034E45BFCEE0AD501CC060000940B0000060400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000E23089FCEE0AD501CC060000940B0000060400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000E23089FCEE0AD501CC060000940B0000F50300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
40000000000000006090C9FCEE0AD501CC060000EC080000F50300000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
40000000000000006090C9FCEE0AD501CC060000A40A0000F50300000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
40000000000000006090C9FCEE0AD501CC060000E4080000F50300000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000001455CEFCEE0AD501CC060000A40A0000F50300000000000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000001455CEFCEE0AD501CC060000E4080000F50300000000000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000001455CEFCEE0AD501CC060000A40A0000050000000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000001455CEFCEE0AD501CC060000E4080000050000000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
40000000000000003A8964FDEE0AD501CC060000EC080000F50300000000000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000003A8964FDEE0AD501CC060000EC080000050000000100000004000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000003A8964FDEE0AD501CC060000940B0000F50300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000003A8964FDEE0AD501CC060000940B0000070400000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000000A9C77FDEE0AD501CC060000940B0000070400000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000804C88FDEE0AD501CC060000940B0000FB0300000100000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
4000000000000000423894FDEE0AD501CC06000034090000FB0300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
4000000000000000423894FDEE0AD501CC06000034090000FB0300000000000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
4000000000000000423894FDEE0AD501CC060000A40A0000FB0300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
4000000000000000423894FDEE0AD501CC060000A40A0000FB0300000000000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
4000000000000000423894FDEE0AD501CC060000F0080000FB0300000100000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
4000000000000000423894FDEE0AD501CC060000F0080000FB0300000000000005000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000423894FDEE0AD501CC060000940B0000FB0300000000000000000000000000008E8D87960364BF41BD27AFF369D06F4B0000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000003449291AEF0AD501CC06000010080000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
40000000000000003449291AEF0AD501CC0600006C060000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000003449291AEF0AD501CC06000044040000E8030000010000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000003449291AEF0AD501CC06000038050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000E80D2E1AEF0AD501CC0600006C060000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000E80D2E1AEF0AD501CC06000044040000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000004270301AEF0AD501CC06000038050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
4000000000000000F634351AEF0AD501CC06000010080000E8030000000000000500000000000000000000000000000000000000000000000000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
4000000000000000149B9120EF0AD501CC0600001008000001040000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000149B9120EF0AD501CC0600001008000001040000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
40000000000000007C249B20EF0AD501CC06000010080000E9030000010000000500000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
40000000000000007C249B20EF0AD501CC06000044040000E9030000010000000500000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
40000000000000007C249B20EF0AD501CC06000038050000E9030000010000000500000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
400000000000000030E99F20EF0AD501CC06000038050000E9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000030E99F20EF0AD501CC0600003805000001000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
400000000000000030E99F20EF0AD501CC06000010080000E9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000030E99F20EF0AD501CC0600001008000001000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
400000000000000030E99F20EF0AD501CC06000044040000E9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
400000000000000030E99F20EF0AD501CC0600004404000001000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
400000000000000000FCB220EF0AD501CC06000010080000F9030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
400000000000000000FCB220EF0AD501CC0600006C060000F9030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
400000000000000000FCB220EF0AD501CC06000044040000F9030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
40000000000000005A5EB520EF0AD501CC0600006C060000F9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
40000000000000005A5EB520EF0AD501CC06000044040000F9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
40000000000000005A5EB520EF0AD501CC06000010080000F9030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000000E23BA20EF0AD501CC060000C009000002040000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000860A2321EF0AD501CC060000C009000002040000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000E06C2521EF0AD501CC060000C0090000EA030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000FCBA3321EF0AD501CC060000A40A0000EA030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000FCBA3321EF0AD501CC06000034090000EA030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000FCBA3321EF0AD501CC06000000090000EA030000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
40000000000000008EB95221EF0AD501CC06000034090000EA030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008EB95221EF0AD501CC0600003409000002000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000008EB95221EF0AD501CC060000A40A0000EA030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000008EB95221EF0AD501CC060000A40A000002000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
4000000000000000427E5721EF0AD501CC06000000090000EA030000000000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000427E5721EF0AD501CC0600000009000002000000010000000100000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
40000000000000002EDF7821EF0AD501CC060000C0090000EA030000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
40000000000000002EDF7821EF0AD501CC060000C0090000EB030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
40000000000000002EDF7821EF0AD501CC060000C0090000EC030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
400000000000000096688221EF0AD501CC06000000090000EB030000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
400000000000000096688221EF0AD501CC06000000090000EB030000000000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000096688221EF0AD501CC0600000009000003000000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000096688221EF0AD501CC06000040030000FC030000010000000300000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
400000000000000096688221EF0AD501CC060000C0090000EC030000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
400000000000000096688221EF0AD501CC060000C0090000ED030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000FEF18B21EF0AD501CC060000C0090000ED030000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000FEF18B21EF0AD501CC060000C0090000EE030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000667B9521EF0AD501CC060000F0080000EB030000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000667B9521EF0AD501CC060000F0080000EB030000000000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000667B9521EF0AD501CC060000F008000003000000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000667B9521EF0AD501CC0600005C080000FC030000010000000300000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
4000000000000000667B9521EF0AD501CC060000C0090000EE030000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000667B9521EF0AD501CC060000C0090000F0030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000667B9521EF0AD501CC060000C0090000F0030000000000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000667B9521EF0AD501CC060000C0090000EF030000010000000000000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000CE049F21EF0AD501CC060000F0080000EB030000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
400000000000000090F0AA21EF0AD501CC060000F0080000EB030000000000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000
1740
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000090F0AA21EF0AD501CC060000F008000003000000010000000200000000000000FB31511482FD9E429BC7251D61458BD40000000000000000