General Info

File name

RAMDisk_1.0.0.27.exe

Full analysis
https://app.any.run/tasks/67f4c418-fcc1-4831-9d2a-4fb1d38cd220
Verdict
Malicious activity
Analysis date
4/15/2019, 03:21:05
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

fc2b16975648a08c895806452c285de7

SHA1

00523081b022e29256cad62e13865c0643c52436

SHA256

c5a8bcb6c0daea9beac3bcf47203a1ceaf94a135d222238dcc15e04de4e552c6

SSDEEP

98304:JmELwwB6lsyX9Qs1ZUscyf6I/Aulk+F/C07n/T0BW:JmELJQH9xZU7yf6I/VZC0LL0BW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • ISWIN2K.exe (PID: 3556)
  • kill.exe (PID: 3260)
  • devcon86.exe (PID: 3012)
  • x86.exe (PID: 3800)
  • PROCTYPE.exe (PID: 640)
  • ISWIN2K.exe (PID: 3480)
  • devcon86.exe (PID: 3436)
  • MSI_RAMDisk_Service.exe (PID: 1360)
  • MSI_RAMDrive_Installer.exe (PID: 296)
  • certmgr.exe (PID: 2848)
  • ServiceControl.exe (PID: 4068)
  • certmgr.exe (PID: 676)
  • certmgr.exe (PID: 2668)
  • RAMDisk.exe (PID: 2976)
  • RAMDisk.exe (PID: 2176)
Loads dropped or rewritten executable
  • DrvInst.exe (PID: 2332)
Changes settings of System certificates
  • devcon86.exe (PID: 3436)
  • ServiceControl.exe (PID: 4068)
  • certmgr.exe (PID: 2668)
  • certmgr.exe (PID: 676)
  • certmgr.exe (PID: 2848)
Executable content was dropped or overwritten
  • DrvInst.exe (PID: 2332)
  • DrvInst.exe (PID: 2556)
  • devcon86.exe (PID: 3436)
  • cmd.exe (PID: 3184)
  • MSI_RAMDrive_Installer.exe (PID: 296)
  • x86.exe (PID: 3800)
  • RAMDisk.tmp (PID: 2472)
  • RAMDisk.exe (PID: 2176)
  • RAMDisk_1.0.0.27.exe (PID: 3000)
Removes files from Windows directory
  • DrvInst.exe (PID: 2556)
  • DrvInst.exe (PID: 2332)
Searches for installed software
  • DrvInst.exe (PID: 2556)
Creates files in the Windows directory
  • DrvInst.exe (PID: 2332)
  • DrvInst.exe (PID: 2556)
  • devcon86.exe (PID: 3436)
  • cmd.exe (PID: 3184)
Creates files in the driver directory
  • DrvInst.exe (PID: 2556)
  • cmd.exe (PID: 3184)
Starts CMD.EXE for commands execution
  • MSI_RAMDrive_Installer.exe (PID: 296)
  • RAMDisk.tmp (PID: 2472)
Creates files in the program directory
  • x86.exe (PID: 3800)
  • ServiceControl.exe (PID: 4068)
  • MSI_RAMDrive_Installer.exe (PID: 296)
Adds / modifies Windows certificates
  • certmgr.exe (PID: 2668)
  • ServiceControl.exe (PID: 4068)
Reads Windows owner or organization settings
  • RAMDisk.tmp (PID: 2472)
Reads the Windows organization settings
  • RAMDisk.tmp (PID: 2472)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 3224)
Creates a software uninstall entry
  • RAMDisk.tmp (PID: 2472)
Application was dropped or rewritten from another process
  • RAMDisk.tmp (PID: 2472)
Creates files in the program directory
  • RAMDisk.tmp (PID: 2472)
Loads dropped or rewritten executable
  • RAMDisk.tmp (PID: 2472)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2016:08:14 21:15:49+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
188416
InitializedDataSize:
196096
UninitializedDataSize:
null
EntryPoint:
0x1cab5
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
14-Aug-2016 19:15:49
Detected languages
English - United States
Debug artifacts
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000108
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
14-Aug-2016 19:15:49
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0002DFE8 0x0002E000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.71025
.rdata 0x0002F000 0x000099D0 0x00009A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.15287
.data 0x00039000 0x0001F8B8 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.29547
.gfids 0x00059000 0x000000F0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.12367
.rsrc 0x0005A000 0x00004680 0x00004800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.63811
.reloc 0x0005F000 0x00001F8C 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.62986
Resources
1

2

3

4

7

8

9

10

11

12

13

14

15

16

100

101

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    KERNEL32.dll

    COMCTL32.dll (delay-loaded)

Exports

    No exports.

Screenshots

Processes

Total processes
64
Monitored processes
24
Malicious processes
8
Suspicious processes
5

Behavior graph

+
drop and start drop and start start drop and start drop and start drop and start ramdisk_1.0.0.27.exe ramdisk.exe no specs ramdisk.exe ramdisk.tmp cmd.exe no specs certmgr.exe no specs certmgr.exe no specs certmgr.exe no specs servicecontrol.exe msi_ramdisk_service.exe no specs msi_ramdrive_installer.exe cmd.exe iswin2k.exe no specs proctype.exe no specs x86.exe devcon86.exe drvinst.exe vssvc.exe no specs drvinst.exe no specs drvinst.exe devcon86.exe no specs kill.exe no specs iswin2k.exe no specs shutdown.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3000
CMD
"C:\Users\admin\AppData\Local\Temp\RAMDisk_1.0.0.27.exe"
Path
C:\Users\admin\AppData\Local\Temp\RAMDisk_1.0.0.27.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\ramdisk_1.0.0.27.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\riched20.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\ramdisk.exe
c:\windows\system32\mpr.dll

PID
2976
CMD
"C:\Users\admin\AppData\Local\Temp\RAMDisk.exe"
Path
C:\Users\admin\AppData\Local\Temp\RAMDisk.exe
Indicators
No indicators
Parent process
RAMDisk_1.0.0.27.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
MSI
Description
RAMDisk Setup
Version
1.0.0.32
Modules
Image
c:\users\admin\appdata\local\temp\ramdisk.exe
c:\systemroot\system32\ntdll.dll

PID
2176
CMD
"C:\Users\admin\AppData\Local\Temp\RAMDisk.exe"
Path
C:\Users\admin\AppData\Local\Temp\RAMDisk.exe
Indicators
Parent process
RAMDisk_1.0.0.27.exe
User
admin
Integrity Level
HIGH
Version:
Company
MSI
Description
RAMDisk Setup
Version
1.0.0.32
Modules
Image
c:\users\admin\appdata\local\temp\ramdisk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\is-u6bj3.tmp\ramdisk.tmp

PID
2472
CMD
"C:\Users\admin\AppData\Local\Temp\is-U6BJ3.tmp\RAMDisk.tmp" /SL5="$40112,2824986,699392,C:\Users\admin\AppData\Local\Temp\RAMDisk.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-U6BJ3.tmp\RAMDisk.tmp
Indicators
Parent process
RAMDisk.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-u6bj3.tmp\ramdisk.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\is-gji4i.tmp\_isetup\_shfoldr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\imageres.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\sxs.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\msi\ramdisk\msi_ramdisk.exe
c:\program files\msi\ramdisk\unins000.exe
c:\windows\system32\apphelp.dll
c:\program files\msi\ramdisk\servicecontrol.exe
c:\program files\msi\ramdisk\msi_ramdrive_installer.exe

PID
540
CMD
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\MSI\RAMDisk\Run.bat""
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
RAMDisk.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\program files\msi\ramdisk\certmgr.exe

PID
2668
CMD
certmgr.exe -add certum-root.cer -c -s -r localMachine root
Path
C:\Program Files\MSI\RAMDisk\certmgr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
ECM Certificate Manager
Version
5.131.1863.1
Modules
Image
c:\program files\msi\ramdisk\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
2848
CMD
certmgr.exe -add certum-ctnca.cer -c -s -r localMachine root
Path
C:\Program Files\MSI\RAMDisk\certmgr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll

PID
676
CMD
certmgr.exe -add WinramtechCert.cer -c -s -r localMachine TrustedPublisher
Path
C:\Program Files\MSI\RAMDisk\certmgr.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
4068
CMD
"C:\Program Files\MSI\RAMDisk\ServiceControl.exe" install MSI_RAMDisk_Service autostart
Path
C:\Program Files\MSI\RAMDisk\ServiceControl.exe
Indicators
Parent process
RAMDisk.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Micro-Star Int'l Co., Ltd.
Description
ServiceControl
Version
1.0.0.01
Modules
Image
c:\program files\msi\ramdisk\servicecontrol.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.confe64a9051#\ecc5bbc5c2734b2451ced2f668f40911\system.configuration.install.ni.dll
c:\program files\msi\ramdisk\msi_ramdisk_service.exe
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wintrust.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorsecimpl.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
1360
CMD
"C:\Program Files\MSI\RAMDisk\MSI_RAMDisk_Service.exe"
Path
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk_Service.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Micro-Star Int'l Co., Ltd.
Description
MSI RAMDisk Service
Version
1.0.0.32
Modules
Image
c:\program files\msi\ramdisk\msi_ramdisk_service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.serv759bfb78#\86909e4c4c7deb51e42b8f335c7aaa77\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\14da86a7ddbf09bd27b30061ff9a4f5e\system.web.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
296
CMD
"C:\Program Files\MSI\RAMDisk\MSI_RAMDrive_Installer.exe" /quiet /hidden
Path
C:\Program Files\MSI\RAMDisk\MSI_RAMDrive_Installer.exe
Indicators
Parent process
RAMDisk.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\msi_ramdrive_installer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\devobj.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll

PID
3184
CMD
cmd /c ""C:\Users\admin\AppData\Local\Temp\AFBA.tmp\ramdrv_cmdfile.bat" /quiet /hidden "
Path
C:\Windows\system32\cmd.exe
Indicators
Parent process
MSI_RAMDrive_Installer.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\msi\ramdisk\iswin2k.exe
c:\program files\msi\ramdisk\proctype.exe
c:\program files\msi\ramdisk\x86.exe
c:\program files\msi\ramdisk\devcon86.exe
c:\program files\msi\ramdisk\kill.exe

PID
3480
CMD
ISWIN2K.exe
Path
C:\Program Files\MSI\RAMDisk\ISWIN2K.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\iswin2k.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
640
CMD
PROCTYPE.exe
Path
C:\Program Files\MSI\RAMDisk\PROCTYPE.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\proctype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3800
CMD
x86.exe -y
Path
C:\Program Files\MSI\RAMDisk\x86.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Igor Pavlov
Description
7z SFX
Version
2, 30, 24, 0
Modules
Image
c:\program files\msi\ramdisk\x86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll

PID
3436
CMD
devcon86.exe install RAMDRiv.inf ramdriv
Path
C:\Program Files\MSI\RAMDisk\devcon86.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
[QSoft] Qualitative Software
Description
Device Driver Control
Version
6.0.6001.18000 built by: WinDDK
Modules
Image
c:\program files\msi\ramdisk\devcon86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\spinf.dll
c:\windows\system32\newdev.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\ramdriv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\ntmarta.dll

PID
2556
CMD
DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\ramdriv.inf" "0" "68794a143" "000005B8" "WinSta0\Default" "000005C8" "208" "c:\program files\msi\ramdisk"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\drvstore.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\spinf.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
3224
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3432
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005F8" "000005F4"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
2332
CMD
DrvInst.exe "2" "211" "ROOT\RAMDRIV\0000" "C:\Windows\INF\oem4.inf" "ramdriv.inf:DiskDevice:DiskInstall:5.3.2.15:ramdriv" "68794a143" "000005B8" "000005E4" "000005F8"
Path
C:\Windows\system32\DrvInst.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\spfileq.dll
c:\windows\system32\version.dll
c:\windows\system32\sete9d5.tmp
c:\windows\system32\ramdriv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\ntmarta.dll

PID
3012
CMD
devcon86.exe rescan
Path
C:\Program Files\MSI\RAMDisk\devcon86.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
[QSoft] Qualitative Software
Description
Device Driver Control
Version
6.0.6001.18000 built by: WinDDK
Modules
Image
c:\program files\msi\ramdisk\devcon86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3260
CMD
kill.exe -f RAMIPROG.EXE
Path
C:\Program Files\MSI\RAMDisk\kill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\kill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ole32.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3556
CMD
ISWIN2K.exe
Path
C:\Program Files\MSI\RAMDisk\ISWIN2K.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\program files\msi\ramdisk\iswin2k.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
1500
CMD
"C:\Windows\system32\shutdown.exe" -r -f -t 0
Path
C:\Windows\system32\shutdown.exe
Indicators
No indicators
Parent process
RAMDisk.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Shutdown and Annotation Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\shutdown.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
1412
Read events
1092
Write events
319
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3000
RAMDisk_1.0.0.27.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3000
RAMDisk_1.0.0.27.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\MSI\RAMDisk
AppVersion
1.0.0.32
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\MSI\RAMDisk
WorkDir
C:\Program Files\MSI\RAMDisk
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: Setup Version
5.4.2.ee2 (u)
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: App Path
C:\Program Files\MSI\RAMDisk
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
InstallLocation
C:\Program Files\MSI\RAMDisk\
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: Icon Group
MSI\RAMDisk
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: User
admin
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: Selected Tasks
desktopicon
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: Deselected Tasks
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Inno Setup: Language
english
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
DisplayName
MSI RAMDisk
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
DisplayIcon
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk.ico
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
UninstallString
"C:\Program Files\MSI\RAMDisk\unins000.exe"
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
UninstallDataFile
C:\Program Files\MSI\RAMDisk\unins000.dat
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
QuietUninstallString
"C:\Program Files\MSI\RAMDisk\unins000.exe" /SILENT
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
DisplayVersion
1.0.0.32
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
Publisher
MSI
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
URLInfoAbout
http://www.msi.com
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
HelpLink
http://www.msi.com
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
URLUpdateInfo
http://www.msi.com
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
NoModify
1
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
NoRepair
1
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
InstallDate
20190415
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
MajorVersion
1
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
MinorVersion
0
2472
RAMDisk.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F29CF050-7278-4CDB-9EF8-2DC6DAA87453}}_is1
EstimatedSize
9128
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.10!6
Name
SpcSpAgencyInfo
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.27!6
Name
SpcFinancialCriteria
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.26!6
Name
SpcMinimalCriteria
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.1!6
Name
NetscapeCertType
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.2!6
Name
NetscapeBaseURL
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.3!6
Name
NetscapeRevocationURL
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.4!6
Name
NetscapeCARevocationURL
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.7!6
Name
NetscapeCertRenewalURL
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.8!6
Name
NetscapeCAPolicyURL
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.12!6
Name
NetscapeSSLServerName
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.13!6
Name
NetscapeComment
2668
certmgr.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
2668
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
Blob
0300000001000000140000006252DC40F71143A22FDE9EF7348E064251B181182000000001000000100300003082030C308201F4A0030201020203010020300D06092A864886F70D0101050500303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D204341301E170D3032303631313130343633395A170D3237303631313130343633395A303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB1C12ED34F7CCD25CE183E4FC48C6F806A73C85B51F89BD2DCBB005CB1A0FC7503EE81F088EE2352E9E615338DAC2D09C576F92B398089E4974B90A5A878F873437BA461B0D858CCE16C667E9CF3095E556384D5A8EFF3B12E3068B3C43CD8AC6E8D995A904E34DC369A8F818850B76D964209F3D795830D414BB06A6BF8FC0F7E629F67C4ED265F10260F084FF0A45728CE8FB8ED45F66EEE255DAA6E39BEE4932FD947A072EBFAA65BAFCA533FE20EC69656116EF7E966A926D87F9553ED0A8588BA4F29A5428C5EB6FC852000AA680BA11A85019CC446638288B622B1EEFEAA46597ECF352CD5B6DA5DF748331454B6EBD96FCECD88D6AB1BDA963B1D590203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B88DCEEFE714BACFEEB044926CB4393EA2846EADB82177D2D4778287E6204181EEE2F811B763D11737BE1976241C041A4CEB3DAA676F2DD4CDFE653170C51BA6020ABA607B6D58C29A49FE63320B6BE33AC0ACAB3BB0E8D309518C1083C634E0C52BE01AB66014276C32778CBCB27298CFCDCC3FB9C8244214D657FCE62643A91DE58090CE0354283EF73FD3F84DED6A0A3A93139B3B142313639C3FD1872779E54C51E301AD855D1A3BB1D57310A4D3F2BC6E64F55A5690A8C70E4C740F2E713BF7C847F4696F15F2115E831E9C7C52AEFD02DA12A8596718DBBC70DD9BB169ED80CE8940486A0E35CA29661521942CE8602A9B854A40F36B8A24EC06162C73
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.10!6
Name
SpcSpAgencyInfo
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.27!6
Name
SpcFinancialCriteria
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.26!6
Name
SpcMinimalCriteria
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.1!6
Name
NetscapeCertType
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.2!6
Name
NetscapeBaseURL
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.3!6
Name
NetscapeRevocationURL
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.4!6
Name
NetscapeCARevocationURL
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.7!6
Name
NetscapeCertRenewalURL
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.8!6
Name
NetscapeCAPolicyURL
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.12!6
Name
NetscapeSSLServerName
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.13!6
Name
NetscapeComment
2848
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
03000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E2000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.10!6
Name
SpcSpAgencyInfo
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.27!6
Name
SpcFinancialCriteria
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.2.1.26!6
Name
SpcMinimalCriteria
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.1!6
Name
NetscapeCertType
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.2!6
Name
NetscapeBaseURL
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.3!6
Name
NetscapeRevocationURL
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.4!6
Name
NetscapeCARevocationURL
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.7!6
Name
NetscapeCertRenewalURL
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.8!6
Name
NetscapeCAPolicyURL
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.12!6
Name
NetscapeSSLServerName
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\2.16.840.1.113730.1.13!6
Name
NetscapeComment
676
certmgr.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7F7FDE1D990894A8D955097BFD5B62C52E4A092A
Blob
0300000001000000140000007F7FDE1D990894A8D955097BFD5B62C52E4A092A20000000010000001C0600003082061830820500A00302010202106E82958F72D3D5746700FCE8457F9FEA300D06092A864886F70D0101050500307B310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479311F301D0603550403131643657274756D20436F6465205369676E696E67204341301E170D3134313030393039323635325A170D3137313030383039323635325A308183310B3009060355040613024245311F301D060355040A0C164368726973746961616E204748494A53454C494E434B311F301D06035504030C164368726973746961616E204748494A53454C494E434B3132303006092A864886F70D01090116234368726973746961616E2E4768696A73656C696E636B4042656C6761636F6D2E6E657430820122300D06092A864886F70D01010105000382010F003082010A0282010100C9405C2CBB4DC78FA09653F89D64A73292570FFFE16201D1C9FB55249BFC2D6CC3491AEAB3E52F3BECE7F63350572736282B4FE50D97223E7E3E807674B85CCF3F0BD8AEF82D0B9FFF8335A6A74F383C7A7AF607D29545E167C230F6D5667ECB102C0E38E08E5DD24860FE6C8342D16B72218B0D8357DD6C019EC99552FA6CF72718B500CAAFB6D5F11A0A15527460C042D09734DAC26C064783BA6333C5835519396F3012BA1997AD4EB509A051C2A143D0B4B4E9BDDCDA5B30CBE2B681D478102BBAE70F1ED31FB55989A8C22CE14CD4203DC048AA1C4B62CC9F859F3437951A124F6427FB883C7BAB66FB177D899E8A08386B8F3F9558A1FA227CA40887270203010001A382028D30820289300C0603551D130101FF04023000302E0603551D1F042730253023A021A01F861D687474703A2F2F63726C2E63657274756D2E706C2F637363612E63726C306806082B06010505070101045C305A302606082B06010505073001861A687474703A2F2F637363612E6F6373702E63657274756D2E706C303006082B060105050730028624687474703A2F2F7265706F7369746F72792E63657274756D2E706C2F637363612E636572301F0603551D23041830168014782F90F14A5CCC34511D8023F2121B7D1A23C18F301D0603551D0E041604142109238C00473BBBDEDB7AF4BA565DB720D3264F30190603551D1204123010810E637363614063657274756D2E706C300E0603551D0F0101FF0404030205A03082013E0603551D2004820135308201313082012D060B2A84680186F677020501043082011C302506082B06010505070201161968747470733A2F2F7777772E63657274756D2E706C2F4350533081F206082B060105050702023081E530201619556E697A65746F20546563686E6F6C6F6769657320532E412E30030201021A81C05573616765206F662074686973206365727469666963617465206973207374726963746C79207375626A656374656420746F207468652043455254554D2043657274696669636174696F6E2050726163746963652053746174656D656E7420284350532920696E636F72706F7261746564206279207265666572656E63652068657265696E20616E6420696E20746865207265706F7369746F72792061742068747470733A2F2F7777772E63657274756D2E706C2F7265706F7369746F72792E301F0603551D250418301606082B06010505070303060A2B0601040182373D0101301106096086480186F8420101040403020410300D06092A864886F70D01010505000382010100AF36F4FA3A5E53DF7C6C5AECB6520A875B89F9534330A7ACC5C210E7FECF11F9EECD07ADC6B0D8AA6C6798061CF7485062FF8B1DE7E601AFCA0E724F6E41BED2F63C601B65FB73FEAD4A18BB0C995CDE4D5FC270DDF420384B0447D0770213D97EFA58296565730026995F7530F831613E3DF7974EFD0C87A91DEE27853FFFBC86EC93F6314C4C037D9F221AA7A4CF1D53F077C28FB45ED73D47E0A9D41412BA59784140BEA4856AE3B6C6AEE072841982E5AFEBE9FEF65B123943F0F8606EB04E61F46C2D9176E10C89C4445E97762E9E488B12451DF5B0C4C53BC5431B875E7A1A0F73CED9D547724FDFC803E3FEBF3947FEDE68CF0E4589C347308B64B329
4068
ServiceControl.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4068
ServiceControl.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application
AutoBackupLogFiles
0
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\MSI_RAMDisk_Service
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
4068
ServiceControl.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF103000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E2000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
Blob
0F00000001000000140000001E427A3639CCE4C27E94B1777964CA289A722CAD0300000001000000140000006252DC40F71143A22FDE9EF7348E064251B181182000000001000000100300003082030C308201F4A0030201020203010020300D06092A864886F70D0101050500303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D204341301E170D3032303631313130343633395A170D3237303631313130343633395A303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB1C12ED34F7CCD25CE183E4FC48C6F806A73C85B51F89BD2DCBB005CB1A0FC7503EE81F088EE2352E9E615338DAC2D09C576F92B398089E4974B90A5A878F873437BA461B0D858CCE16C667E9CF3095E556384D5A8EFF3B12E3068B3C43CD8AC6E8D995A904E34DC369A8F818850B76D964209F3D795830D414BB06A6BF8FC0F7E629F67C4ED265F10260F084FF0A45728CE8FB8ED45F66EEE255DAA6E39BEE4932FD947A072EBFAA65BAFCA533FE20EC69656116EF7E966A926D87F9553ED0A8588BA4F29A5428C5EB6FC852000AA680BA11A85019CC446638288B622B1EEFEAA46597ECF352CD5B6DA5DF748331454B6EBD96FCECD88D6AB1BDA963B1D590203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B88DCEEFE714BACFEEB044926CB4393EA2846EADB82177D2D4778287E6204181EEE2F811B763D11737BE1976241C041A4CEB3DAA676F2DD4CDFE653170C51BA6020ABA607B6D58C29A49FE63320B6BE33AC0ACAB3BB0E8D309518C1083C634E0C52BE01AB66014276C32778CBCB27298CFCDCC3FB9C8244214D657FCE62643A91DE58090CE0354283EF73FD3F84DED6A0A3A93139B3B142313639C3FD1872779E54C51E301AD855D1A3BB1D57310A4D3F2BC6E64F55A5690A8C70E4C740F2E713BF7C847F4696F15F2115E831E9C7C52AEFD02DA12A8596718DBBC70DD9BB169ED80CE8940486A0E35CA29661521942CE8602A9B854A40F36B8A24EC06162C73
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
1400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F703000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF12000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
Blob
1400000001000000140000006DAA9B0987C4D0D422ED4007374D19F191FFDED30300000001000000140000006252DC40F71143A22FDE9EF7348E064251B181180F00000001000000140000001E427A3639CCE4C27E94B1777964CA289A722CAD2000000001000000100300003082030C308201F4A0030201020203010020300D06092A864886F70D0101050500303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D204341301E170D3032303631313130343633395A170D3237303631313130343633395A303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB1C12ED34F7CCD25CE183E4FC48C6F806A73C85B51F89BD2DCBB005CB1A0FC7503EE81F088EE2352E9E615338DAC2D09C576F92B398089E4974B90A5A878F873437BA461B0D858CCE16C667E9CF3095E556384D5A8EFF3B12E3068B3C43CD8AC6E8D995A904E34DC369A8F818850B76D964209F3D795830D414BB06A6BF8FC0F7E629F67C4ED265F10260F084FF0A45728CE8FB8ED45F66EEE255DAA6E39BEE4932FD947A072EBFAA65BAFCA533FE20EC69656116EF7E966A926D87F9553ED0A8588BA4F29A5428C5EB6FC852000AA680BA11A85019CC446638288B622B1EEFEAA46597ECF352CD5B6DA5DF748331454B6EBD96FCECD88D6AB1BDA963B1D590203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B88DCEEFE714BACFEEB044926CB4393EA2846EADB82177D2D4778287E6204181EEE2F811B763D11737BE1976241C041A4CEB3DAA676F2DD4CDFE653170C51BA6020ABA607B6D58C29A49FE63320B6BE33AC0ACAB3BB0E8D309518C1083C634E0C52BE01AB66014276C32778CBCB27298CFCDCC3FB9C8244214D657FCE62643A91DE58090CE0354283EF73FD3F84DED6A0A3A93139B3B142313639C3FD1872779E54C51E301AD855D1A3BB1D57310A4D3F2BC6E64F55A5690A8C70E4C740F2E713BF7C847F4696F15F2115E831E9C7C52AEFD02DA12A8596718DBBC70DD9BB169ED80CE8940486A0E35CA29661521942CE8602A9B854A40F36B8A24EC06162C73
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
1900000001000000100000001F7E750B566B128AC0B8D6576D2A70A50F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF103000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E1400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F72000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
4068
ServiceControl.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
Blob
1900000001000000100000000B6CD9778E41AD67FD6BE0A6903710440F00000001000000140000001E427A3639CCE4C27E94B1777964CA289A722CAD0300000001000000140000006252DC40F71143A22FDE9EF7348E064251B181181400000001000000140000006DAA9B0987C4D0D422ED4007374D19F191FFDED32000000001000000100300003082030C308201F4A0030201020203010020300D06092A864886F70D0101050500303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D204341301E170D3032303631313130343633395A170D3237303631313130343633395A303E310B300906035504061302504C311B3019060355040A1312556E697A65746F2053702E207A206F2E6F2E311230100603550403130943657274756D20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100CEB1C12ED34F7CCD25CE183E4FC48C6F806A73C85B51F89BD2DCBB005CB1A0FC7503EE81F088EE2352E9E615338DAC2D09C576F92B398089E4974B90A5A878F873437BA461B0D858CCE16C667E9CF3095E556384D5A8EFF3B12E3068B3C43CD8AC6E8D995A904E34DC369A8F818850B76D964209F3D795830D414BB06A6BF8FC0F7E629F67C4ED265F10260F084FF0A45728CE8FB8ED45F66EEE255DAA6E39BEE4932FD947A072EBFAA65BAFCA533FE20EC69656116EF7E966A926D87F9553ED0A8588BA4F29A5428C5EB6FC852000AA680BA11A85019CC446638288B622B1EEFEAA46597ECF352CD5B6DA5DF748331454B6EBD96FCECD88D6AB1BDA963B1D590203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010505000382010100B88DCEEFE714BACFEEB044926CB4393EA2846EADB82177D2D4778287E6204181EEE2F811B763D11737BE1976241C041A4CEB3DAA676F2DD4CDFE653170C51BA6020ABA607B6D58C29A49FE63320B6BE33AC0ACAB3BB0E8D309518C1083C634E0C52BE01AB66014276C32778CBCB27298CFCDCC3FB9C8244214D657FCE62643A91DE58090CE0354283EF73FD3F84DED6A0A3A93139B3B142313639C3FD1872779E54C51E301AD855D1A3BB1D57310A4D3F2BC6E64F55A5690A8C70E4C740F2E713BF7C847F4696F15F2115E831E9C7C52AEFD02DA12A8596718DBBC70DD9BB169ED80CE8940486A0E35CA29661521942CE8602A9B854A40F36B8A24EC06162C73
1360
MSI_RAMDisk_Service.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\Service1
EventMessageFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
296
MSI_RAMDrive_Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
296
MSI_RAMDrive_Installer.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.app.log
4096
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
setupapi.dev.log
4096
3436
devcon86.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
Blob
040000000100000010000000D5E98140C51869FC462C8975620FAA781400000001000000140000000876CDCB07FF24F6C5CDEDBB90BCE284374675F703000000010000001400000007E032E020B72C3F192F0628A2593A19A70F069E0F0000000100000014000000A8569CCD21EF9CC5737C7A12DF608C2CBC545DF11900000001000000100000001F7E750B566B128AC0B8D6576D2A70A52000000001000000BF030000308203BB308202A3A00302010202030444C0300D06092A864886F70D0101050500307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B204341301E170D3038313032323132303733375A170D3239313233313132303733375A307E310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479312230200603550403131943657274756D2054727573746564204E6574776F726B20434130820122300D06092A864886F70D01010105000382010F003082010A0282010100E3FB7DA372BAC2F0C91487F56B014EE16E4007BA6D275D7FF75B2DB35AC7515FABA432A66187B66E0F86D2300297F8D76957A118395D6A6479C60159AC3C314A387CD204D24B28E8205F3B07A2CC4D73DBF3AE4FC756D55AA79689FAF3AB68D423865927CF0927BCAC6E72831C3072DFE0A2E9D2E1747519BD2A9E7B1554041BD74339AD5528C5E21ABBF4C0E4AE384933CC76859F3945D2A49EF2128C51F87CE42D7FF5AC5FEB169FB12DD1BACC9142774C25C990386FDBF0CCFB8E1E97593ED5604EE60528ED4979134BBA48DB2FF972D339CAFE1FD83472F5B440CF3101C3ECDE112D175D1FB850D15E19A769DE073328CA5095F9A754CB54865045A9F9490203010001A3423040300F0603551D130101FF040530030101FF301D0603551D0E041604140876CDCB07FF24F6C5CDEDBB90BCE284374675F7300E0603551D0F0101FF040403020106300D06092A864886F70D01010505000382010100A6A8AD22CE013DA6A3FF62D0489D8B5E72B07844E3DC1CAF09FD2348FABD2AC4B95504B510A38D27DE0B8263D0EEDE0C3779415B22B2B09A415CA670E0D4D077CB23D300E06C562FE1690D0DD9AABF218150D906A5A8FF9537D0AAFEE2B3F5992D45848AE54209D774022FF789D899E9BC27D4478DBA0D461C77CF14A41CB9A431C49C28740334FF331926A5E90D74B73E97C676E82796A366DDE1AEF2415BCA9856837370E4861AD23141BA2FBE2D135A766F4EE84E810E3F5B0322A012BE6658114ACB03C4B42A2A2D9617E03954BC48D376279D9A2D06A6C9EC39D2ABDB9F9A0B27023529B14095E7F9E89C55881946D6B734F57ECE399AD938F151F74F2C
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\7F7FDE1D990894A8D955097BFD5B62C52E4A092A
Blob
0F0000000100000014000000F3CAF0893C2DC70658EC3DF686733CCD9163E3080300000001000000140000007F7FDE1D990894A8D955097BFD5B62C52E4A092A20000000010000001C0600003082061830820500A00302010202106E82958F72D3D5746700FCE8457F9FEA300D06092A864886F70D0101050500307B310B300906035504061302504C31223020060355040A1319556E697A65746F20546563686E6F6C6F6769657320532E412E31273025060355040B131E43657274756D2043657274696669636174696F6E20417574686F72697479311F301D0603550403131643657274756D20436F6465205369676E696E67204341301E170D3134313030393039323635325A170D3137313030383039323635325A308183310B3009060355040613024245311F301D060355040A0C164368726973746961616E204748494A53454C494E434B311F301D06035504030C164368726973746961616E204748494A53454C494E434B3132303006092A864886F70D01090116234368726973746961616E2E4768696A73656C696E636B4042656C6761636F6D2E6E657430820122300D06092A864886F70D01010105000382010F003082010A0282010100C9405C2CBB4DC78FA09653F89D64A73292570FFFE16201D1C9FB55249BFC2D6CC3491AEAB3E52F3BECE7F63350572736282B4FE50D97223E7E3E807674B85CCF3F0BD8AEF82D0B9FFF8335A6A74F383C7A7AF607D29545E167C230F6D5667ECB102C0E38E08E5DD24860FE6C8342D16B72218B0D8357DD6C019EC99552FA6CF72718B500CAAFB6D5F11A0A15527460C042D09734DAC26C064783BA6333C5835519396F3012BA1997AD4EB509A051C2A143D0B4B4E9BDDCDA5B30CBE2B681D478102BBAE70F1ED31FB55989A8C22CE14CD4203DC048AA1C4B62CC9F859F3437951A124F6427FB883C7BAB66FB177D899E8A08386B8F3F9558A1FA227CA40887270203010001A382028D30820289300C0603551D130101FF04023000302E0603551D1F042730253023A021A01F861D687474703A2F2F63726C2E63657274756D2E706C2F637363612E63726C306806082B06010505070101045C305A302606082B06010505073001861A687474703A2F2F637363612E6F6373702E63657274756D2E706C303006082B060105050730028624687474703A2F2F7265706F7369746F72792E63657274756D2E706C2F637363612E636572301F0603551D23041830168014782F90F14A5CCC34511D8023F2121B7D1A23C18F301D0603551D0E041604142109238C00473BBBDEDB7AF4BA565DB720D3264F30190603551D1204123010810E637363614063657274756D2E706C300E0603551D0F0101FF0404030205A03082013E0603551D2004820135308201313082012D060B2A84680186F677020501043082011C302506082B06010505070201161968747470733A2F2F7777772E63657274756D2E706C2F4350533081F206082B060105050702023081E530201619556E697A65746F20546563686E6F6C6F6769657320532E412E30030201021A81C05573616765206F662074686973206365727469666963617465206973207374726963746C79207375626A656374656420746F207468652043455254554D2043657274696669636174696F6E2050726163746963652053746174656D656E7420284350532920696E636F72706F7261746564206279207265666572656E63652068657265696E20616E6420696E20746865207265706F7369746F72792061742068747470733A2F2F7777772E63657274756D2E706C2F7265706F7369746F72792E301F0603551D250418301606082B06010505070303060A2B0601040182373D0101301106096086480186F8420101040403020410300D06092A864886F70D01010505000382010100AF36F4FA3A5E53DF7C6C5AECB6520A875B89F9534330A7ACC5C210E7FECF11F9EECD07ADC6B0D8AA6C6798061CF7485062FF8B1DE7E601AFCA0E724F6E41BED2F63C601B65FB73FEAD4A18BB0C995CDE4D5FC270DDF420384B0447D0770213D97EFA58296565730026995F7530F831613E3DF7974EFD0C87A91DEE27853FFFBC86EC93F6314C4C037D9F221AA7A4CF1D53F077C28FB45ED73D47E0A9D41412BA59784140BEA4856AE3B6C6AEE072841982E5AFEBE9FEF65B123943F0F8606EB04E61F46C2D9176E10C89C4445E97762E9E488B12451DF5B0C4C53BC5431B875E7A1A0F73CED9D547724FDFC803E3FEBF3947FEDE68CF0E4589C347308B64B329
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedPAGEDPoolBanks
4294967295
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedNPAGEPoolBanks
24
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedNCACHPoolBanks
4
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedCONCAPoolBanks
4294967295
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedPAGEDPoolBanks
4294967295
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedNPAGEPoolBanks
1023
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedNCACHPoolBanks
4294967295
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedCONCAPoolBanks
4294967295
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedMDLPGPoolBanks
4294967294
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AutoResize
0
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
MDLPGExcludedMap
000000000000000000000007E0000000
3436
devcon86.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\BackupRestore\FilesNotToBackup
RAMDisk
B:\* /s
2556
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000E3CE0A9529F3D401FC090000F4090000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
400000000000000008F50A9529F3D401FC090000F4090000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
20
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000A391549529F3D401FC090000F4090000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
40000000000000004135569529F3D401FC09000068030000E803000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
400000000000000039FE239629F3D401FC09000068030000E803000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000ACF1D99A29F3D401FC090000F4090000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000D217DA9A29F3D401FC090000F4090000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000008C09EA9A29F3D401FC090000F4090000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000B66DFA9A29F3D401FC090000A8030000E903000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
400000000000000013411C9B29F3D401FC090000A8030000E903000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
400000000000000084B31C9B29F3D401FC090000C4030000F903000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000CE21279B29F3D401FC090000C4030000F903000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000187F2C9B29F3D401FC090000F40900000A04000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
4000000000000000E8650E9C29F3D401FC090000100400000A04000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
40000000000000000D8C0E9C29F3D401FC090000F4090000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
400000000000000033B20E9C29F3D401FC090000F4090000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
20
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
E3CE0A9529F3D401
2556
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
40000000000000007AAF689529F3D401980C000070070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
40000000000000007AAF689529F3D401980C0000C8090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
40000000000000007AAF689529F3D401980C0000280B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
40000000000000007AAF689529F3D401980C0000640A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000AEFC6F9529F3D401980C0000C8090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000D422709529F3D401980C000070070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
40000000000000003C9B749529F3D401980C0000280B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
400000000000000052BC779529F3D401980C0000640A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
40000000000000006416F99A29F3D401980C0000640A00000104000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
4000000000000000D588F99A29F3D401980C0000640A00000104000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
4000000000000000B58F049B29F3D401980C000070070000E903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
4000000000000000B58F049B29F3D401980C0000280B0000E903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
4000000000000000B58F049B29F3D401980C0000640A0000E903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000A58A079B29F3D401980C0000280B0000E903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000A58A079B29F3D401980C0000280B00000100000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000CBB0079B29F3D401980C000070070000E903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000CBB0079B29F3D401980C0000700700000100000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000CBB0079B29F3D401980C0000640A0000E903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000CBB0079B29F3D401980C0000640A00000100000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000BF0B259B29F3D401980C0000280B0000F903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
4000000000000000BF0B259B29F3D401980C0000640A0000F903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000BF0B259B29F3D401980C0000C8090000F903000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000307E259B29F3D401980C0000C8090000F903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
400000000000000056A4259B29F3D401980C0000640A0000F903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
40000000000000007BCA259B29F3D401980C0000280B0000F903000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
40000000000000003EA52C9B29F3D401980C0000440400000204000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000AF81949B29F3D401980C0000440400000204000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000451A959B29F3D401980C000044040000EA03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
40000000000000005A4C9D9B29F3D401980C0000C4030000EA03000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
40000000000000005A4C9D9B29F3D401980C0000080A0000EA03000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
40000000000000005A4C9D9B29F3D401980C0000F0070000EA03000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
400000000000000075BCB59B29F3D401980C0000080A0000EA03000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000075BCB59B29F3D401980C0000080A00000200000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
40000000000000007CC7B69B29F3D401980C0000F0070000EA03000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000007CC7B69B29F3D401980C0000F00700000200000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
40000000000000002276B99B29F3D401980C0000C4030000EA03000000000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000002276B99B29F3D401980C0000C40300000200000001000000010000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000E99FD59B29F3D401980C000044040000EA03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000E99FD59B29F3D401980C000044040000EB03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000E99FD59B29F3D401980C000044040000EC03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
40000000000000008E4ED89B29F3D401980C0000B8050000EB03000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
40000000000000008E4ED89B29F3D401980C0000B8050000EB03000000000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000008E4ED89B29F3D401980C0000B80500000300000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000FFC0D89B29F3D401980C000070080000FC03000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000BB7FD99B29F3D401980C000044040000EC03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000BB7FD99B29F3D401980C000044040000ED03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000B385DD9B29F3D401980C000044040000ED03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000D8ABDD9B29F3D401980C000044040000EE03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
40000000000000005F3FE19B29F3D401980C0000C4030000EB03000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
40000000000000005F3FE19B29F3D401980C0000C4030000EB03000000000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000005F3FE19B29F3D401980C0000C40300000300000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000005F3FE19B29F3D401980C00006C060000FC03000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
40000000000000009B86E49B29F3D401980C000044040000EE03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
4000000000000000C1ACE49B29F3D401980C000044040000F003000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
4000000000000000C1ACE49B29F3D401980C000044040000F003000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
4000000000000000C1ACE49B29F3D401980C000044040000EF03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000DED8E89B29F3D401980C0000C4030000EB03000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
40000000000000003041EF9B29F3D401980C0000C4030000EB03000000000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
40000000000000003041EF9B29F3D401980C0000C40300000300000001000000020000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
40000000000000003041EF9B29F3D401980C0000D40A0000FC03000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
40000000000000003041EF9B29F3D401980C000044040000EF03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
40000000000000003041EF9B29F3D401980C000044040000EB03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
40000000000000003041EF9B29F3D401980C0000440400000304000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
40000000000000003041EF9B29F3D401980C0000440400000304000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
40000000000000005667EF9B29F3D401980C000044040000FD03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
40000000000000007B8DEF9B29F3D401980C0000E40A0000FD03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000004495019C29F3D401980C0000E40A0000FD03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000004495019C29F3D401980C000044040000FD03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000004495019C29F3D401980C0000E40A0000FE03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000BC23089C29F3D401980C0000E40A0000FE03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
4000000000000000BC23089C29F3D401980C0000E40A0000FF03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
4000000000000000BC23089C29F3D401980C0000E40A0000FF03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000004495019C29F3D401980C000044040000FE03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
4000000000000000BC23089C29F3D401980C000044040000FE03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
4000000000000000BC23089C29F3D401980C000044040000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
4000000000000000BC23089C29F3D401980C000044040000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
4000000000000000BC23089C29F3D401980C0000B80A00000404000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
4000000000000000BC23089C29F3D401980C0000B80A00000404000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
4000000000000000E149089C29F3D401980C0000440400000504000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
4000000000000000C23F0E9C29F3D401980C0000440400000504000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
4000000000000000C23F0E9C29F3D401980C000044040000F403000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
4000000000000000C23F0E9C29F3D401980C000044040000F403000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
4000000000000000C23F0E9C29F3D401980C000044040000F203000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
400000000000000048E4169C29F3D401980C000024080000F203000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
400000000000000048E4169C29F3D401980C0000F0070000F203000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000048E4169C29F3D401980C00006C060000FC03000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
400000000000000048E4169C29F3D401980C000070080000FC03000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
400000000000000048E4169C29F3D401980C0000080A0000F203000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
400000000000000048E4169C29F3D401980C000024080000F203000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
400000000000000048E4169C29F3D401980C0000F0070000F203000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
40000000000000006E0A179C29F3D401980C0000D40A0000FC03000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000006E0A179C29F3D401980C0000240800000400000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000006E0A179C29F3D401980C0000F00700000400000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
40000000000000006E0A179C29F3D401980C0000080A0000F203000000000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000009430179C29F3D401980C0000080A00000400000001000000030000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
400000000000000050EF179C29F3D401980C000044040000F203000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
40000000000000007515189C29F3D401980C0000440400000604000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000589E479C29F3D401980C0000440400000604000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
4000000000000000C910489C29F3D401980C000044040000F503000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
40000000000000008BFC539C29F3D401980C0000080A0000F503000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
40000000000000008BFC539C29F3D401980C000024010000F503000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
40000000000000008BFC539C29F3D401980C000024080000F503000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000006CE1549C29F3D401980C0000080A0000F503000000000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000006CE1549C29F3D401980C0000080A00000500000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000009207559C29F3D401980C000024010000F503000000000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000009207559C29F3D401980C0000240100000500000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
400000000000000056DFEC9C29F3D401980C000024080000F503000000000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
400000000000000056DFEC9C29F3D401980C0000240800000500000001000000040000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
40000000000000007C05ED9C29F3D401980C000044040000F503000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
40000000000000007C05ED9C29F3D401980C0000440400000704000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000006228FE9C29F3D401980C0000440400000704000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000D0EF179D29F3D401980C000044040000FB03000001000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000000B48209D29F3D401980C000024080000FB03000001000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000000B48209D29F3D401980C000024080000FB03000000000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000000B48209D29F3D401980C000024010000FB03000001000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000000B48209D29F3D401980C000024010000FB03000000000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000000B48209D29F3D401980C0000B8050000FB03000001000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000000B48209D29F3D401980C0000B8050000FB03000000000000050000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3224
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
4000000000000000306E209D29F3D401980C000044040000FB03000000000000000000000000000028DDCD80115A1E48B47C0B1ABC8DBB460000000000000000
3432
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2332
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{FFB1C341-4539-11D3-B88D-00C04FAD5172}
Class
RAMDriv
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
%SystemPath%\system32\DRIVERS\RAMDriv.sys
5
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
%SystemPath%\system32\RAMDriv.dll
5
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
%SystemPath%\system32\RAMDiskImage.exe
5
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
BreakOnEntry
0
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
DebugLevel
5
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
DebugComp
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
DiskSize
0000001000000000
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
MDLPGExcludedMap
000000000000000000000007E0000000
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
UseMMXInstructions
1
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
UseMountManager
1
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\ImageFileProcessing
ProgramPath
C:\Windows\system32\RAMDiskImage.exe
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedPAGEDPoolBanks
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedNPAGEPoolBanks
24
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedNCACHPoolBanks
4
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
ExcludedCONCAPoolBanks
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedPAGEDPoolBanks
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedNPAGEPoolBanks
1023
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedNCACHPoolBanks
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedCONCAPoolBanks
4294967295
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AllowedMDLPGPoolBanks
4294967294
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RAMDriv\Parameters
AutoResize
0
2332
DrvInst.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\BackupRestore\FilesNotToBackup
RAMDisk
B:\* /s

Files activity

Executable files
40
Suspicious files
22
Text files
396
Unknown types
20

Dropped files

PID
Process
Filename
Type
3184
cmd.exe
B:\regdmp.exe
executable
MD5: 9dd25fc496f9da2840e9e2a6a991253c
SHA256: 1535326cc421c66a8e1cc5990e286033c304e3ee7ba3a0269bd2fed6891bc1b0
3800
x86.exe
C:\Program Files\MSI\RAMDisk\RAMDriv.sys
executable
MD5: 7df0168e3c566c9af9cbd206a7c005c3
SHA256: dd42d6a65b26d3a6fb8aaeab6ec276dcbf049bb594f49e1aa5a8703d792e4dba
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\Smbios.dll
executable
MD5: b57c769b2c8a64935d14f051d1fb3537
SHA256: 095fe96b9b41c2fba23bfe40bfb790e831d540e76ef0df0fdb9d436143ad6fac
3184
cmd.exe
C:\Windows\System32\RAMDriv.dll
executable
MD5: 7ce003e745bc01d44b87bb583f203b01
SHA256: b325ea3fd43af89d508ea0b3aaaf037c9d96ff7b52628dca6b9e2d813934c746
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\MSI_RAMDrive_Installer.exe
executable
MD5: fcc21ea41430571427032827efe80e1b
SHA256: 0dcac3efcec88ce064d1abca93784c1cb0e1f23a06213fd84cbf390616c35d4b
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\System.Data.SQLite.dll
executable
MD5: 8acbdadf5e2d886f60fe2d5cd48e2554
SHA256: d8c7ba85a4eee2870bc6e298e75e4c73b1f5e2efa6feff590fc87a251e5d6af6
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\ServiceControl.exe
executable
MD5: 3a513ce32cb957c6accd3ec12438117b
SHA256: e4c8225319875c8bf84f962fa4c09e4a9a80fd4bcb361c5af4c430ea12694e0a
3184
cmd.exe
C:\Windows\System32\Drivers\RAMDriv.sys
executable
MD5: 7df0168e3c566c9af9cbd206a7c005c3
SHA256: dd42d6a65b26d3a6fb8aaeab6ec276dcbf049bb594f49e1aa5a8703d792e4dba
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk_Service.exe
executable
MD5: 564243d275ffa139fb81ff48f081908c
SHA256: 9c023e060f5fbcef1cfa822f2988fe74aa46a359a1721055ed9bcce95cc5cab5
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\RAMDriv.dll
executable
MD5: 7ce003e745bc01d44b87bb583f203b01
SHA256: b325ea3fd43af89d508ea0b3aaaf037c9d96ff7b52628dca6b9e2d813934c746
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk.exe
executable
MD5: 82158347a228af9c7b93baf133095bde
SHA256: be2d6db4c3e8be1d54d8b0bf212f571b30ffb4521909be9333eb8c09640b5e08
3800
x86.exe
C:\Program Files\MSI\RAMDisk\RAMDiskImage.exe
executable
MD5: 8bdc03faa9c437627ed140425b35bbc3
SHA256: 051cd14ef7e0efb79c67c2ca8091a9864f038a88ddbb75626228987dc3fdddd6
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\RAMDiskImage.exe
executable
MD5: 8bdc03faa9c437627ed140425b35bbc3
SHA256: 051cd14ef7e0efb79c67c2ca8091a9864f038a88ddbb75626228987dc3fdddd6
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\devcon86.exe
executable
MD5: db9fc131c58b66e4fe696dda10309ca3
SHA256: 7cd4c3a98f88fc4ecdb7f1077858ec9f9316a188b5118bb93f8800dcfcb78dd5
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\DeviceManager.exe
executable
MD5: 2221d31c9e3900f7352e05c6e9178a4c
SHA256: 704c25e21c117e0e70f15abb34e25b939600f24437f961b7e5f01903d89871d7
3800
x86.exe
C:\Program Files\MSI\RAMDisk\RAMDriv.dll
executable
MD5: 7ce003e745bc01d44b87bb583f203b01
SHA256: b325ea3fd43af89d508ea0b3aaaf037c9d96ff7b52628dca6b9e2d813934c746
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\RAMDriv.sys
executable
MD5: 7df0168e3c566c9af9cbd206a7c005c3
SHA256: dd42d6a65b26d3a6fb8aaeab6ec276dcbf049bb594f49e1aa5a8703d792e4dba
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\kill.exe
executable
MD5: 43f7aacc526751357c2c0cd82103126d
SHA256: 800e4916f9dcce8d5bf1ba510416f0a88cfe34dd8ea11decc3c67a4c722a2832
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\certmgr.exe
executable
MD5: 5d077a0cdd077c014eedb768feb249ba
SHA256: 8a830c48c4d78159dd80f4dad81c0bebbf9314710026b1a2ef0ffdddcb24b83d
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\x86.exe
executable
MD5: f846b33f30def664ac6ceb972daf114d
SHA256: 0f536078e4e00357a48020cd7b957af7df12ec442825e4fd39aca9d62741cb5a
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\RAMDriv.dll
executable
MD5: 7ce003e745bc01d44b87bb583f203b01
SHA256: b325ea3fd43af89d508ea0b3aaaf037c9d96ff7b52628dca6b9e2d813934c746
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\RAMDSIZE.exe
executable
MD5: 0f95828974a390e490f40b3d3c6ac23a
SHA256: 1ea4aedf91988bce654afde61e429996dd9d858f2e78c111dce3fe5e3e5eeeff
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\unins000.exe
executable
MD5: c3ea13ae8743181f7bf27d7c16d61b04
SHA256: b9f705f57c69e222dddebe42cb3f2817a0976970cce9fbb32be746937356f2d7
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\regdmp.exe
executable
MD5: 9dd25fc496f9da2840e9e2a6a991253c
SHA256: 1535326cc421c66a8e1cc5990e286033c304e3ee7ba3a0269bd2fed6891bc1b0
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\RAMDiskImage.exe
executable
MD5: 8bdc03faa9c437627ed140425b35bbc3
SHA256: 051cd14ef7e0efb79c67c2ca8091a9864f038a88ddbb75626228987dc3fdddd6
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\devcon64.exe
executable
MD5: e2a73ae83092315f245bfa41f3d6c3a2
SHA256: 31e9e5dd9c7e98863dbbbae5dcacab4c5468525b6646f7101cc342b1e5906713
2472
RAMDisk.tmp
C:\Users\admin\AppData\Local\Temp\is-GJI4I.tmp\_isetup\_shfoldr.dll
executable
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
SHA256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\ISWIN2K.exe
executable
MD5: 6f2002e3375ae90e1040190da9657f93
SHA256: e715e1568ddc2d8b426c924023f0ba61164eb5d7fb39aa6b2f2b32b944f7d713
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\RAMDriv.sys
executable
MD5: 7df0168e3c566c9af9cbd206a7c005c3
SHA256: dd42d6a65b26d3a6fb8aaeab6ec276dcbf049bb594f49e1aa5a8703d792e4dba
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\RAMPROMP.exe
executable
MD5: 561e629a65991d0ece7b306a048f55f0
SHA256: 83d5c74d4f2b48300d6e03c208fcc9dd64713d14677fb95c50c6cfa0b9018577
2176
RAMDisk.exe
C:\Users\admin\AppData\Local\Temp\is-U6BJ3.tmp\RAMDisk.tmp
executable
MD5: c3ea13ae8743181f7bf27d7c16d61b04
SHA256: b9f705f57c69e222dddebe42cb3f2817a0976970cce9fbb32be746937356f2d7
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\BOOTMSG.exe
executable
MD5: a37d2c6880a0f46f1876bd047aabb20b
SHA256: fa54a68bdacda773cdec1cf6a22d70ebc7b0c69e3d14a0baea2356e3c11ab867
2332
DrvInst.exe
C:\Windows\system32\RAMDriv.dll
executable
MD5: 7ce003e745bc01d44b87bb583f203b01
SHA256: b325ea3fd43af89d508ea0b3aaaf037c9d96ff7b52628dca6b9e2d813934c746
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\RAMIPROG.EXE
executable
MD5: 04302a4d8c6c30f8cb0a0c3dbedf29c4
SHA256: d51575078ad7fac57a5930978e3f592afd79e9d750da5161cd8bc3d3afa0e5bf
3000
RAMDisk_1.0.0.27.exe
C:\Users\admin\AppData\Local\Temp\RAMDisk.exe
executable
MD5: a9888310fcbb030232b3e3a6060beea8
SHA256: 07c90ec17a2488cceee0f629de3116b17d770315630f5ae18919afed221a1d13
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\HELPDIAL.exe
executable
MD5: 5c4e4a2073518f74f6fb8b0e14744dae
SHA256: 18cfb23f7770da285a64116ea4e625b449aec52af658bb6415393dacd44805a8
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\PROMPREM.exe
executable
MD5: d47dc951ff69059fe00adbe804b1995d
SHA256: 5a17dc85efa1f17cb9bd258a991bdf43d58f4055acb02cf689640a4b0b1a8dd5
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\PROCTYPE.exe
executable
MD5: e0c48c4fc5b872543c63bce86c14a370
SHA256: 1f428dfdc52134d3084c210d494fa46c9dfae744a3dc15a6e363ca40b5e688b7
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\x64.exe
executable
MD5: 253dbea98a24ac528fa5b96c36859ed0
SHA256: b9c773e281ba6dae2588db25de251901e1bcdcdd2c29cb6473aa905c2a503218
3184
cmd.exe
C:\Windows\System32\RAMDiskImage.exe
executable
MD5: 8bdc03faa9c437627ed140425b35bbc3
SHA256: 051cd14ef7e0efb79c67c2ca8091a9864f038a88ddbb75626228987dc3fdddd6
2332
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: ede2b359cd7a874d2fad6d9325ff2f1e
SHA256: bf87411f293bd6af599ffe34b98b1a751632fcbd96bc46e650417e5660acabe0
2332
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 86b85e9dbcfc62ce2d08902aef3715c7
SHA256: d25e0ace804af85c4f0434658213c60f9d0f9db79b6860c3af3fec24332f3fd3
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 69dbd7bb98d556b28f6b5dff80c7a179
SHA256: 9c3760c7e755ad56e84f24a9c4f3d5ae71fd2b8f4cbe95b215713e54029e4d0b
3436
devcon86.exe
C:\Windows\System32\DriverStore\infpub.dat
binary
MD5: 31713cb2fc2d0bec4c586986d1d930be
SHA256: 1059cc08002a5c9532f0eef8cce62f16316aa97c32549709366d7ecc06f17bfe
3436
devcon86.exe
C:\Windows\System32\DriverStore\infstrng.dat
binary
MD5: c83d1b507731ef6b062a2cfd39111329
SHA256: 8e5377e78a038dd004c5c39b679c90b8212b03b8229935fe5d31d1b9c82b5f01
3436
devcon86.exe
C:\Windows\System32\CatRoot2\dberr.txt
text
MD5: afe76a750e8874b145d656d77cb41f0a
SHA256: de0a1428f27aab7f3face55ccb88e45b512f8a0457021ba54fd74368dad3bf8f
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 696821176dfb5603240aa236392f66fe
SHA256: fbdcffec313266746c9f61ad0f47fa8fce583f3b9b181a5fefec2dad1e5a0ac3
3436
devcon86.exe
C:\Windows\System32\CatRoot2\dberr.txt
text
MD5: 12d4f7c35331c899f0841e954edb60a0
SHA256: ec3f45e7daddcba7a15d9a06b51eb5e414e28a659a6f374dd790fcefd594acad
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: dc3117ce4959c1a8c047f7ec9b40b940
SHA256: e9d18a6a7175aebd4afe2d156eda80a3e5ae7aa330736496f501f55d10a6ad0c
2556
DrvInst.exe
C:\Windows\System32\DriverStore\OLDCACHE.000
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.1
binary
MD5: 68e81854b009a959571f1b029e29a5ab
SHA256: 5fea2b92445f2f6d9ca2e26f0f51b6d547d50e14e6340d91a6dc2773ddc21ebf
2556
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.0
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\System32\DriverStore\INFCACHE.2
binary
MD5: 68e81854b009a959571f1b029e29a5ab
SHA256: 5fea2b92445f2f6d9ca2e26f0f51b6d547d50e14e6340d91a6dc2773ddc21ebf
2556
DrvInst.exe
C:\Windows\System32\DriverStore\infpub.dat
binary
MD5: bd780ec0fcea9e2f3e6da2ebd3654fa2
SHA256: 1cbd80cb236ca8a2899e078ab9cfe96d0c3bf9af37c3bee6ca6aa8e9ebc4fae1
2556
DrvInst.exe
C:\Windows\System32\DriverStore\infstor.dat
binary
MD5: 837f1b091d79449e27e97f232c4e938e
SHA256: 75d49dfa672ccccef90dd26280ebd4e1d76b3aec566187f49dc6ef9423e8dbec
2556
DrvInst.exe
C:\Windows\System32\DriverStore\infstrng.dat
binary
MD5: 262d530fbe8587ca492e592a8983d38a
SHA256: 856ef944ee02a446aed15d0078ddf4a7ca3032f4abc1000280047d0c5cf71b61
2556
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: dc3117ce4959c1a8c047f7ec9b40b940
SHA256: e9d18a6a7175aebd4afe2d156eda80a3e5ae7aa330736496f501f55d10a6ad0c
2556
DrvInst.exe
C:\Windows\System32\DriverStore\FileRepository\ramdriv.inf_x86_neutral_1b066d2dd9b72369\ramdriv.PNF
pnf
MD5: 853cb7589a6b6c241791bfd7ae9c2b0f
SHA256: baca1c5e488425b250c5b1fddd9cdf01ed915f01ef055f6544c2adb33717d603
2556
DrvInst.exe
C:\Windows\INF\oem4.inf
txt
MD5: 8a8b6b37ae01eee4ae1f8a8e47d9ad20
SHA256: 79e2cf7691325c819d0d2fb794ae6f96bf8d1d93ad8c9b61c612d6d58311c1b9
3432
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 80ec8c08f7ac2ceb866c143f9e99c7c2
SHA256: c008961504c2b88c308ee41abf9855d957c45e5065f34db34dc9fc3adc6f5fd3
3432
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 9ebffa4e36dd307673e999307b47029c
SHA256: 73d0190695d27f2a7cde93e28f92bdf4378a3a7a896460afe0505a14c985a2e8
3432
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: 8332a05f532a20117203f5a3c3f08f59
SHA256: 68fa942d8c59dba9771d589099d9d627229d662f3e451eb692d8943036297b9b
3432
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 76dcc60f78b3dff1ae3627619074f465
SHA256: 18541ac1875315c4f9eff75050c574faff83717c029dae6b366f9c6c3f0c19e0
2556
DrvInst.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{80cddd28-5a11-481e-b47c-0b1abc8dbb46}_OnDiskSnapshotProp
binary
MD5: d06afdd1e48a1a2fbdbd92e0263c286a
SHA256: 47b590c6e431782c1861425d33be66eb5804c340bf4a60db84fb372d0344d72f
2556
DrvInst.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: d06afdd1e48a1a2fbdbd92e0263c286a
SHA256: 47b590c6e431782c1861425d33be66eb5804c340bf4a60db84fb372d0344d72f
2556
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: c83679271dc049c08876688c1795d957
SHA256: 8aa285dc754bc59f50e370021c1f324b1eb420cb7a5a9f565758915de6a6fdd3
2556
DrvInst.exe
C:\Windows\TEMP\TarB5AD.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\CabB5AC.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\TarB58B.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\CabB58A.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\TarB57A.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\CabB579.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\TarB568.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\TEMP\CabB567.tmp
––
MD5:  ––
SHA256:  ––
3184
cmd.exe
B:\RAMDriv.chm
chm
MD5: d47fadb876fc28bf2406c3b3e91c26a6
SHA256: 8cbdeb246cb513c29f7f52fe5d9bb371b7eeb58ef61e8a95a6beaf5a57ca8cdb
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\SETB52D.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\Administrator\NTUSER.DAT.LOG1
log
MD5: f726dd4dd07274e41c3e7c31563500ab
SHA256: 26e7d2c1efdf80ef247094eb4d74f345e37e9ae2212d8025a744fb27154177e4
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\SETB51C.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\ramdriv.inf
txt
MD5: 8a8b6b37ae01eee4ae1f8a8e47d9ad20
SHA256: 79e2cf7691325c819d0d2fb794ae6f96bf8d1d93ad8c9b61c612d6d58311c1b9
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\SETB50B.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\Administrator\NTUSER.DAT
hiv
MD5: 4b6981f9a31d9337d7d0d7664b174e9d
SHA256: 983b7973273c1c4c186adf2187973d970b41f0040b16102e252e8c21bfb24ce7
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\SETB4FB.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\Ramdriv.cat
cat
MD5: 217f41a3a4d77dba40d6d1e1cbf71e1a
SHA256: 78378e67cb2f3a28afd625f185c2f3ceb642695e42992b29ed520e3d63617389
2556
DrvInst.exe
C:\Windows\System32\DriverStore\Temp\{7455af84-e3dd-007a-82f7-de5e86cfe554}\SETB4EA.tmp
––
MD5:  ––
SHA256:  ––
2556
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: b3699aba828dd71bc26372b2b8fbca6f
SHA256: 2e0e00b20d6212209e48a45293f242d8ed7996a2cddeeb2127df53402f094b4b
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: b3699aba828dd71bc26372b2b8fbca6f
SHA256: 2e0e00b20d6212209e48a45293f242d8ed7996a2cddeeb2127df53402f094b4b
3436
devcon86.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
hiv
MD5: 573327377a2289718f799b8c56c8b516
SHA256: a049057e1c636bf021ce6ad116caff7b4d0a96abf60b7452f1b25af08dda90b6
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\SETB462.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1
log
MD5: f7bba0162a025dbf0587992b6d774d8c
SHA256: d2a5f1f43bf49b67f574bbee7b9464a770c72ba08b9f837589d0f1c34d4036d4
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\SETB461.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\ramdriv.inf
txt
MD5: 8a8b6b37ae01eee4ae1f8a8e47d9ad20
SHA256: 79e2cf7691325c819d0d2fb794ae6f96bf8d1d93ad8c9b61c612d6d58311c1b9
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\SETB450.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
text
MD5: 2f4ba72576959d5aae8e15b6ebbcc7b7
SHA256: ca8852f8e509325c63accf299f9e8c115bd154886d75775130207adabd6f7d00
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\SETB44F.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\Ramdriv.cat
cat
MD5: 217f41a3a4d77dba40d6d1e1cbf71e1a
SHA256: 78378e67cb2f3a28afd625f185c2f3ceb642695e42992b29ed520e3d63617389
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\{3af4b3b4-613b-674b-1921-9674421aa044}\SETB43E.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\TarB3D2.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Users\admin\AppData\Local\Temp\CabB3D1.tmp
––
MD5:  ––
SHA256:  ––
3436
devcon86.exe
C:\Windows\INF\setupapi.app.log
text
MD5: e3669f6081df1da2c5848b90297d976a
SHA256: 136266f5ffa8e43e8609e7abfeed369cbee3639a5447420467f3c67327deafe7
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: c675b36e8d3396b47e69871b4127fc00
SHA256: 8d1f53bf3f8331c222a501fe473e53b1a8ca805a6629ce1f82cc2e4aa71b6390
3436
devcon86.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: e9f65360dc480c779027f18de391d6a8
SHA256: 5a70ff7834f367ff6f9a6e3f8d53dbfa1745d3892cf29d84e563d99eafb665c2
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 46191acd3dc3925c9d2575c110e97d6f
SHA256: acd7a41991b543cd1630420d33e91db54a53781a22f0fc0a5589b5bb11f37b85
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: f5e20eb4ece0c81ee7c84eefefe03a10
SHA256: 7c755ccb60dbcf8c20d2010a073a5cbf67659295b27932e339dbeda76d671281
3800
x86.exe
C:\Program Files\MSI\RAMDisk\RAMDriv.inf
txt
MD5: 8a8b6b37ae01eee4ae1f8a8e47d9ad20
SHA256: 79e2cf7691325c819d0d2fb794ae6f96bf8d1d93ad8c9b61c612d6d58311c1b9
2332
DrvInst.exe
C:\Windows\System32\DriverStore\infstrng.dat
binary
MD5: 9d7ff231f6ad7476c617de889014e736
SHA256: 9735c87e65dcfff95e0133e47a60d4a8c1245a65b668422d6949fadd707e0e9f
2332
DrvInst.exe
C:\Windows\System32\DriverStore\infpub.dat
binary
MD5: 5e39ef3bb478ff31b0959811daa773cf
SHA256: c4ca83610287721d152b93bd4d7b2e057ee01206ce8a54796fe7d178e9a2829b
3800
x86.exe
C:\Program Files\MSI\RAMDisk\ramdriv.cat
cat
MD5: 217f41a3a4d77dba40d6d1e1cbf71e1a
SHA256: 78378e67cb2f3a28afd625f185c2f3ceb642695e42992b29ed520e3d63617389
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: c79c59594f1847e08ad08d0a1b66b2ea
SHA256: ee7e01fefbf493b3a43723b5e52c9056c6b8ee8a6e68f9b75e5f60886417c019
2332
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: d6067d35ea11d3f2dff963e046d08e79
SHA256: 5674e4062f424b8ff9a4d15ac30fed236e490039bcbcd4f4262794fd2181806d
2332
DrvInst.exe
C:\Windows\INF\setupapi.ev2
binary
MD5: 72a8af248778470333bcea9ccf8a59a6
SHA256: 6519b929a333aa4849817260a4d3dc2320c930fcffed34a76794095859d27531
3224
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarEA8F.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\CabEA8E.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarEA8D.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\CabEA8C.tmp
––
MD5:  ––
SHA256:  ––
3000
RAMDisk_1.0.0.27.exe
C:\Users\admin\AppData\Local\Temp\RAMDisk ReleaseNote.txt
text
MD5: 3ab81a32fcd369af5627b6f6a20b7ca5
SHA256: 85b39af1f75b7c77d84e60ee8bf50056e863c992e6646b4fcd07263eb2077d82
296
MSI_RAMDrive_Installer.exe
C:\Users\admin\AppData\Local\Temp\AFBA.tmp\ramdrv_cmdfile.bat
text
MD5: cbfe9ee404bce81e00201e1508dc4086
SHA256: 189609e83b6d518e4fa0473fcf554975e5d2638ee17d0110264c299fddac67e7
2332
DrvInst.exe
C:\Windows\system32\SETE9D5.tmp
––
MD5:  ––
SHA256:  ––
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\RAMDrivDMP.bat
text
MD5: 8641e4f3963f71be6dac3f1692984b28
SHA256: 10d6974db8a15d70e2680bd77909171ae8b34e110f5248fc16e9c3e8707690ca
2332
DrvInst.exe
C:\Windows\Temp\OLDE9CF.tmp
––
MD5:  ––
SHA256:  ––
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\ramdiskuninst.reg
text
MD5: d3193cf6e9a5c059b2f3220082c23463
SHA256: 4b62ce0d23bb22bc3c1eebc572122dac1c6dd7ac21399967eb9dbcc940d62379
2332
DrvInst.exe
C:\Windows\TEMP\TarE9A0.tmp
––
MD5:  ––
SHA256:  ––
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\RAMDriv.chm
chm
MD5: d47fadb876fc28bf2406c3b3e91c26a6
SHA256: 8cbdeb246cb513c29f7f52fe5d9bb371b7eeb58ef61e8a95a6beaf5a57ca8cdb
296
MSI_RAMDrive_Installer.exe
C:\Program Files\MSI\RAMDisk\suppressreboot.reg
text
MD5: 7a1543dbe4f6471c9f470a478ec47993
SHA256: b27b386a5b953b86351921bb5d2ba0d3d810e8c0fde8f7281622c4a49d408c14
2332
DrvInst.exe
C:\Windows\TEMP\CabE99F.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\INF\oem4.PNF
pnf
MD5: 7918c0af1943a739a0300d5e1063e5a0
SHA256: 217303c333e018be8a45b6f653a585d78041f92af1848e6a03f7bf2868c7fac4
4068
ServiceControl.exe
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk_Service.InstallState
xml
MD5: ffb29bd88bd23c639985f1d369dbd1ca
SHA256: 1adb4f9d1d152e018246a0a2762b473d910906340207f57d3f8ce1097e1de09f
4068
ServiceControl.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 1a3286dc8db683416a4b5ffe16d21b2f
SHA256: 6ca1e1f66c4f62e7f90d2ff04742ab047fed93bf5739a3082fc269eb75a37834
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\TarA7B1.tmp
––
MD5:  ––
SHA256:  ––
4068
ServiceControl.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 04d79a0dc77a8f449cbff6252862d398
SHA256: 4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\CabA7B0.tmp
––
MD5:  ––
SHA256:  ––
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\TarA695.tmp
––
MD5:  ––
SHA256:  ––
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\CabA694.tmp
––
MD5:  ––
SHA256:  ––
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\TarA664.tmp
––
MD5:  ––
SHA256:  ––
4068
ServiceControl.exe
C:\Users\admin\AppData\Local\Temp\CabA663.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\unins000.dat
dat
MD5: 18bafbd883dc1b16c70d9707b05a9e29
SHA256: 51f997650512ca73279ef7c30d10675807cd8a4e3e2ef5612ae4bbe338bb0b88
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\unins000.msg
binary
MD5: 77088b7612c0d0038d4b0c3e195db567
SHA256: c6ce898d8f0e0da2e98a52fbd7f8cea57f39ec0c329429e4fd15c5595b189080
2472
RAMDisk.tmp
C:\Users\Public\Desktop\MSI RAMDisk.lnk
lnk
MD5: 9ea83b5a47d27562c614da386a8b82ad
SHA256: a07fc8124c0fdf6e07605db9565f168a36a322880ed3fec1ef8d73c20e65ca86
2472
RAMDisk.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSI\RAMDisk\Uninstall RAMDisk.lnk
lnk
MD5: 08ac4ec7487c1b6ced53c81268332152
SHA256: f9fa0436b3ea3799b27500e1f100568cec56a8e00574313bf7a65f71018257c8
2472
RAMDisk.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSI\RAMDisk\RAMDisk.lnk
lnk
MD5: 211bb6334d90bd2a6706683c8ecef064
SHA256: 47b81ca3deaef5964ac63b06f5c118fd65793e6b61e19ffbc7840e4f758cc438
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\MSI_RAMDisk.ico
image
MD5: 4c25e0996224e585ba716551c0bbca1c
SHA256: 71e51ae18cf0e536215c6088edb092bd26f4c4714184560f1be5f5b0e5e8579a
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: ff2fbf124b0c5919a76c407f210e5cac
SHA256: f30502038f80e8d204dbd82a7df7eef9d77fc9635affa7eae4ab9d4c2bd237ba
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\WinramtechCert.cer
der
MD5: 29a8d295f7bc90d2d86b21f930ec06a1
SHA256: 0b1266f9401e2b9e4712e9cd9be019799d8a86f2496e03f1df10b1a67eef59d2
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-4DA83.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-JAHQ4.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-MJRM0.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarE930.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-POV0D.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\Run.bat
text
MD5: 38e21437fc124704127481ad619c2f43
SHA256: 4f03424bff9c2e8ae72a3361e1c4e58adf6a683fe36943149aa035bd94ecba09
2332
DrvInst.exe
C:\Windows\TEMP\CabE92F.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarE8FF.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-OKNUB.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-0SLUC.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-DFQ7E.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\CabE8FE.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarE8AF.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-LCNRM.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-2FIIQ.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\CabE8AE.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-7G8I9.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\TarE87E.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\certum-ctnca.cer
text
MD5: c741baa6b6afd5374712b7efce6c3348
SHA256: 3b1288b7fd26cdf1d1eac8ea906b1f1fbeb7baeed5aa4a7f82cc321b56317504
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\certum-root.cer
text
MD5: 3ca4fa0bf891f8a3a8d105040eae7137
SHA256: b078cb0fa54129c41d3ed5cd07cd8bacf3b13cf3fbce898e671270b2b5643f84
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-2DFV7.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-06T88.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-MSSQN.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\TEMP\CabE87D.tmp
––
MD5:  ––
SHA256:  ––
2472
RAMDisk.tmp
C:\Program Files\MSI\RAMDisk\is-VLRQ2.tmp
––
MD5:  ––
SHA256:  ––
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 144180abbe7f93d2774b338d1ebfa40b
SHA256: 3c207dc57e2f5284afc38bf5a3fcc043691a8c580af7d06ec0a07ba9e1838179
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: befe28f3bcbbbe9d299fe2701efa5ae1
SHA256: 3441a73d9c20b2ec856d04b8ee76e13064267e7e28b28f6c0daa985398cbe8c9
2332
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 69dbd7bb98d556b28f6b5dff80c7a179
SHA256: 9c3760c7e755ad56e84f24a9c4f3d5ae71fd2b8f4cbe95b215713e54029e4d0b
3184
cmd.exe
B:\RAMDrivDMP.bat
text
MD5: 8641e4f3963f71be6dac3f1692984b28
SHA256: 10d6974db8a15d70e2680bd77909171ae8b34e110f5248fc16e9c3e8707690ca

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4068 ServiceControl.exe GET 200 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4068 ServiceControl.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted

DNS requests

Domain IP Reputation
www.download.windowsupdate.com 93.184.221.240
whitelisted

Threats

No threats detected.

Debug output strings

No debug info.