General Info

File name

mma.msi

Full analysis
https://app.any.run/tasks/9381dcb0-eaac-480c-a7c8-b80ba48859c9
Verdict
Malicious activity
Analysis date
9/11/2019, 12:32:41
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

exe-to-msi

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
MD5

a51588a7eacd50b8f7d0348da2ec17e1

SHA1

3eaefc8acd158f51e877a914d982fda5e446b178

SHA256

d7cf982f5244b5b3234e2e5c185f7882d34972f30c89beab431ed7f7527e223a

SSDEEP

6144:QEq4ZAwvQE6yyj7XEidfLDv6cOsrqj9Dl7fFaWRb1iSjFWC:QEq4NoyWXEiNDv6cJk9Z7fFaWpASM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO

No malicious indicators.

Executable content was dropped or overwritten
  • msiexec.exe (PID: 2328)
Creates files in the program directory
  • dw20.exe (PID: 3820)
Executed via COM
  • DrvInst.exe (PID: 3356)
Executed as Windows Service
  • vssvc.exe (PID: 2204)
Drop ExeToMSI Application
  • msiexec.exe (PID: 2328)
Starts application with an unusual extension
  • msiexec.exe (PID: 2328)
Application was crashed
  • MSIEC.tmp (PID: 3676)
Searches for installed software
  • msiexec.exe (PID: 2328)
Low-level read access rights to disk partition
  • vssvc.exe (PID: 2204)
Application was dropped or rewritten from another process
  • MSIEC.tmp (PID: 3676)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
CodePage:
Windows Latin 1 (Western European)
LastPrinted:
2012:09:21 09:56:09
CreateDate:
2012:09:21 09:56:09
Software:
Windows Installer
Title:
Exe to msi converter free
Subject:
null
Author:
www.exetomsi.com
Keywords:
null
Comments:
null
Template:
;0
LastModifiedBy:
devuser
RevisionNumber:
{C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}
ModifyDate:
2013:05:21 11:56:44
Pages:
100
Words:
null
Security:
None

Screenshots

Processes

Total processes
38
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe vssvc.exe no specs drvinst.exe no specs msiec.tmp dw20.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2900
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\mma.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1603
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
2328
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\srclient.dll
c:\windows\system32\spp.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\atl.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\es.dll
c:\windows\system32\sxs.dll
c:\windows\system32\propsys.dll
c:\windows\system32\samlib.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\installer\msiec.tmp
c:\windows\system32\devrtl.dll

PID
2204
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll

PID
3356
CMD
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "000003C8" "000004B8"
Path
C:\Windows\system32\DrvInst.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Driver Installation Module
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\spinf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\spfileq.dll

PID
3676
CMD
"C:\Windows\Installer\MSIEC.tmp"
Path
C:\Windows\Installer\MSIEC.tmp
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
3762507597
Version:
Company
Description
UnityGameEngine
Version
1.6.4.5
Modules
Image
c:\windows\installer\msiec.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\gac_msil\system.windows.forms\2.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll

PID
3820
CMD
dw20.exe -x -s 424
Path
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Indicators
Parent process
MSIEC.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Error Reporting Shim
Version
2.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\dw20.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\installer\msiec.tmp
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscordacwks.dll
c:\windows\system32\verifier.dll

Registry activity

Total events
467
Read events
297
Write events
162
Delete events
8

Modification events

PID
Process
Operation
Key
Name
Value
2328
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2328
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2328
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\858132C493B23D11E8D0000CF486730D
2328
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components
2328
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
2328
msiexec.exe
delete key
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72
2328
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2328
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Enter)
4000000000000000BE089D488C68D50118090000A80F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Enter)
4000000000000000BE089D488C68D50118090000A80F0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
LastIndex
24
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Enter)
4000000000000000905208498C68D50118090000A80F0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Enter)
4000000000000000EAB40A498C68D50118090000AC0E0000E8030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
IDENTIFY (Leave)
400000000000000044443E4A8C68D50118090000AC0E0000E8030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppGatherWriterMetadata (Leave)
4000000000000000965F9A538C68D50118090000A80F0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Enter)
4000000000000000965F9A538C68D50118090000A80F0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppAddInterestingComponents (Leave)
40000000000000001A37B2538C68D50118090000A80F0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Enter)
4000000000000000AC35D1538C68D50118090000AC0C0000E9030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
PREPAREBACKUP (Leave)
40000000000000005A82FE538C68D50118090000AC0C0000E9030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Enter)
4000000000000000B4E400548C68D50118090000D00C0000F9030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
GETSTATE (Leave)
4000000000000000D0320F548C68D50118090000D00C0000F9030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Enter)
4000000000000000DE5916548C68D50118090000A80F00000A040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
DOSNAPSHOT (Leave)
40000000000000006A0D8F558C68D50118090000FC0C00000A040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
SppCreate (Leave)
40000000000000006A0D8F558C68D50118090000A80F0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
SrCreateRp (Leave)
40000000000000006A0D8F558C68D50118090000A80F0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
FirstRun
0
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
LastIndex
24
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
1
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
StartNesting
BE089D488C68D501
2328
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
18090000D81F53488C68D501
2328
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
C01A60DA93D5196BBEFBE9B9ED1D2142C586DE29509F7C4EED4362E97F9A2531
2328
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\16f60f.ipi
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16f610.rbs
30763156
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\16f610.rbsLow
3103193824
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\858132C493B23D11E8D0000CF486730D
7137FE921ACD9514792B8C38DA04A06C
2328
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Volatile
NestingLevel
0
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Enter)
400000000000000060651B498C68D5019C080000080B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Enter)
400000000000000060651B498C68D5019C080000040B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Enter)
400000000000000060651B498C68D5019C0800001C0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Enter)
400000000000000060651B498C68D5019C080000180F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
IDENTIFY (Leave)
4000000000000000C8EE24498C68D5019C080000080B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
IDENTIFY (Leave)
4000000000000000C8EE24498C68D5019C080000040B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
IDENTIFY (Leave)
4000000000000000225127498C68D5019C080000180F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
IDENTIFY (Leave)
40000000000000003E9F35498C68D5019C0800001C0F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Enter)
400000000000000052D3CE538C68D5019C0800001C0F000001040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_BEGINPREPARE (Leave)
400000000000000052D3CE538C68D5019C0800001C0F000001040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Enter)
400000000000000022E6E1538C68D5019C080000040B0000E9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Enter)
400000000000000022E6E1538C68D5019C0800001C0F0000E9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Enter)
400000000000000022E6E1538C68D5019C080000180F0000E9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPAREBACKUP (Leave)
4000000000000000D6AAE6538C68D5019C080000040B0000E9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000D6AAE6538C68D5019C080000040B000001000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPAREBACKUP (Leave)
4000000000000000300DE9538C68D5019C0800001C0F0000E9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000300DE9538C68D5019C0800001C0F000001000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPAREBACKUP (Leave)
4000000000000000300DE9538C68D5019C080000180F0000E9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_STABLE (SetCurrentState)
4000000000000000300DE9538C68D5019C080000180F000001000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Enter)
400000000000000076D00C548C68D5019C080000180F0000F9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Enter)
4000000000000000D0320F548C68D5019C080000040B0000F9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Enter)
4000000000000000D0320F548C68D5019C0800001C0F0000F9030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
GETSTATE (Leave)
4000000000000000D0320F548C68D5019C080000180F0000F9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
GETSTATE (Leave)
4000000000000000D0320F548C68D5019C0800001C0F0000F9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
GETSTATE (Leave)
4000000000000000D0320F548C68D5019C080000040B0000F9030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Enter)
4000000000000000DE5916548C68D5019C080000000D000002040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_ENDPREPARE (Leave)
4000000000000000C679B8548C68D5019C080000000D000002040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Enter)
4000000000000000C679B8548C68D5019C080000000D0000EA030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Enter)
4000000000000000F0EECD548C68D5019C0800002C0C0000EA030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Enter)
4000000000000000F0EECD548C68D5019C080000240C0000EA030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Enter)
4000000000000000F0EECD548C68D5019C080000040C0000EA030000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
PREPARESNAPSHOT (Leave)
400000000000000044D9F8548C68D5019C0800002C0C0000EA030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
400000000000000044D9F8548C68D5019C0800002C0C000002000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
PREPARESNAPSHOT (Leave)
40000000000000009E3BFB548C68D5019C080000040C0000EA030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
40000000000000009E3BFB548C68D5019C080000040C000002000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
PREPARESNAPSHOT (Leave)
4000000000000000F89DFD548C68D5019C080000240C0000EA030000000000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_FREEZE (SetCurrentState)
4000000000000000F89DFD548C68D5019C080000240C000002000000010000000100000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
PREPARESNAPSHOT (Leave)
4000000000000000D05F40558C68D5019C080000000D0000EA030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Enter)
4000000000000000D05F40558C68D5019C080000000D0000EB030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Enter)
4000000000000000D05F40558C68D5019C080000000D0000EC030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Enter)
400000000000000038E949558C68D5019C080000040C0000EB030000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
FREEZE (Leave)
400000000000000038E949558C68D5019C080000040C0000EB030000000000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
400000000000000038E949558C68D5019C080000040C000003000000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Enter)
400000000000000038E949558C68D5019C0800005C0D0000FC030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_FRONT (Leave)
4000000000000000924B4C558C68D5019C080000000D0000EC030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Enter)
4000000000000000924B4C558C68D5019C080000000D0000ED030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_BACK (Leave)
4000000000000000461051558C68D5019C080000000D0000ED030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Enter)
4000000000000000461051558C68D5019C080000000D0000EE030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Enter)
4000000000000000FAD455558C68D5019C080000140C0000EB030000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
FREEZE (Leave)
4000000000000000FAD455558C68D5019C080000140C0000EB030000000000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000FAD455558C68D5019C080000140C000003000000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000FAD455558C68D5019C080000580D0000FC030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_SYSTEM (Leave)
400000000000000008FC5C558C68D5019C080000000D0000EE030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Enter)
400000000000000008FC5C558C68D5019C080000000D0000F0030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_KTM (Leave)
400000000000000008FC5C558C68D5019C080000000D0000F0030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Enter)
400000000000000008FC5C558C68D5019C080000000D0000EF030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Enter)
4000000000000000BCC061558C68D5019C080000140C0000EB030000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
FREEZE (Leave)
4000000000000000708566558C68D5019C080000140C0000EB030000000000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_THAW (SetCurrentState)
4000000000000000708566558C68D5019C080000140C000003000000010000000200000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Enter)
4000000000000000708566558C68D5019C080000C40E0000FC030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE_RM (Leave)
4000000000000000708566558C68D5019C080000000D0000EF030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
FREEZE (Leave)
4000000000000000708566558C68D5019C080000000D0000EB030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Enter)
4000000000000000708566558C68D5019C080000000D000003040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PRECOMMIT (Leave)
4000000000000000CAE768558C68D5019C080000000D000003040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Enter)
4000000000000000CAE768558C68D5019C080000000D0000FD030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Enter)
4000000000000000CAE768558C68D5019C080000CC0E0000FD030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
OPEN_VOLUME_HANDLE (Leave)
40000000000000004EBF80558C68D5019C080000CC0E0000FD030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
OPEN_VOLUME_HANDLE (Leave)
40000000000000004EBF80558C68D5019C080000000D0000FD030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000004EBF80558C68D5019C080000CC0E0000FE030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000010AB8C558C68D5019C080000CC0E0000FE030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Enter)
400000000000000010AB8C558C68D5019C080000CC0E0000FF030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace(__?_Volume{e1a82db4-a9f0-11e7-b142-806e6f6e6963}_)
IOCTL_RELEASE (Leave)
400000000000000010AB8C558C68D5019C080000CC0E0000FF030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Enter)
40000000000000004EBF80558C68D5019C080000000D0000FE030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_FLUSH_AND_HOLD (Leave)
400000000000000010AB8C558C68D5019C080000000D0000FE030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Enter)
400000000000000010AB8C558C68D5019C080000000D0000FF030000010000000000000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Lovelace
IOCTL_RELEASE (Leave)
400000000000000010AB8C558C68D5019C080000000D0000FF030000000000000000000000000000000000000000000000000000000000000000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Enter)
400000000000000010AB8C558C68D5019C080000D40E000004040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_COMMIT (Leave)
400000000000000010AB8C558C68D5019C080000D40E000004040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Enter)
400000000000000010AB8C558C68D5019C080000000D000005040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTCOMMIT (Leave)
400000000000000010AB8C558C68D5019C080000000D000005040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Enter)
400000000000000010AB8C558C68D5019C080000000D0000F4030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW_KTM (Leave)
40000000000000006A0D8F558C68D5019C080000000D0000F4030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Enter)
40000000000000006A0D8F558C68D5019C080000000D0000F2030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Enter)
4000000000000000E0BD9F558C68D5019C0800002C0C0000F2030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000E0BD9F558C68D5019C0800005C0D0000FC030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
THAW (Leave)
4000000000000000E0BD9F558C68D5019C0800002C0C0000F2030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000E0BD9F558C68D5019C0800002C0C000004000000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Enter)
4000000000000000E0BD9F558C68D5019C080000040C0000F2030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000E0BD9F558C68D5019C080000580D0000FC030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
THAW (Leave)
4000000000000000E0BD9F558C68D5019C080000040C0000F2030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
4000000000000000E0BD9F558C68D5019C080000040C000004000000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Enter)
4000000000000000E0BD9F558C68D5019C080000200C0000F2030000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BKGND_FREEZE_THREAD (Leave)
4000000000000000E0BD9F558C68D5019C080000C40E0000FC030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
THAW (Leave)
4000000000000000E0BD9F558C68D5019C080000200C0000F2030000000000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_POST_SNAPSHOT (SetCurrentState)
40000000000000003A20A2558C68D5019C080000200C000004000000010000000300000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
THAW (Leave)
40000000000000003A20A2558C68D5019C080000000D0000F2030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Enter)
40000000000000003A20A2558C68D5019C080000000D000006040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_PREFINALCOMMIT (Leave)
4000000000000000B87FE2558C68D5019C080000000D000006040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Enter)
400000000000000012E2E4558C68D5019C080000000D0000F5030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Enter)
400000000000000044062A568C68D5019C080000140C0000F5030000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Enter)
400000000000000044062A568C68D5019C080000F40B0000F5030000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Enter)
400000000000000044062A568C68D5019C080000240C0000F5030000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
POSTSNAPSHOT (Leave)
40000000000000009E682C568C68D5019C080000140C0000F5030000000000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000009E682C568C68D5019C080000140C000005000000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
POSTSNAPSHOT (Leave)
40000000000000009E682C568C68D5019C080000F40B0000F5030000000000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
40000000000000009E682C568C68D5019C080000F40B000005000000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
POSTSNAPSHOT (Leave)
4000000000000000E45881578C68D5019C080000240C0000F5030000000000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
VSS_WS_WAITING_FOR_BACKUP_COMPLETE (SetCurrentState)
4000000000000000E45881578C68D5019C080000240C000005000000010000000400000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
POSTSNAPSHOT (Leave)
4000000000000000E45881578C68D5019C080000000D0000F5030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Enter)
4000000000000000E45881578C68D5019C080000000D000007040000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}
PROVIDER_POSTFINALCOMMIT (Leave)
40000000000000007657A0578C68D5019C080000000D000007040000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Enter)
4000000000000000466AB3578C68D5019C080000000D0000FB030000010000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Enter)
40000000000000000856BF578C68D5019C080000240C0000FB030000010000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
BACKUPSHUTDOWN (Leave)
40000000000000000856BF578C68D5019C080000240C0000FB030000000000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Enter)
40000000000000000856BF578C68D5019C080000140C0000FB030000010000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Enter)
40000000000000000856BF578C68D5019C0800002C0C0000FB030000010000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
BACKUPSHUTDOWN (Leave)
40000000000000000856BF578C68D5019C0800002C0C0000FB030000000000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
BACKUPSHUTDOWN (Leave)
40000000000000000856BF578C68D5019C080000140C0000FB030000000000000500000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
2204
vssvc.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssvcPublisher
BACKUPSHUTDOWN (Leave)
40000000000000000856BF578C68D5019C080000000D0000FB030000000000000000000000000000B3B5EFEDF8E67941A5FD9C11FDDC7A5C0000000000000000
3356
DrvInst.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
2
Suspicious files
7
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
2328
msiexec.exe
C:\Windows\Installer\MSIEC.tmp
executable
MD5: 31e828f722eea5361ce951b3864f1b88
SHA256: 5cd194a8ff094e2a58e0d2790fafdf8d7e2b9ce4bd2d89fee710d5642d5df0a4
2328
msiexec.exe
C:\Windows\Installer\16f60d.msi
executable
MD5: a51588a7eacd50b8f7d0348da2ec17e1
SHA256: d7cf982f5244b5b3234e2e5c185f7882d34972f30c89beab431ed7f7527e223a
2328
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF57025032D13B6106.TMP
––
MD5:  ––
SHA256:  ––
2328
msiexec.exe
C:\Config.Msi\16f610.rbs
––
MD5:  ––
SHA256:  ––
3820
dw20.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiec.tmp_a5a744e1607a93228a319079fd532d7d2deecef_cab_0efb1388\Report.wer
binary
MD5: a30e8bb4b8cbe9b5aca8d6bfd91cfd53
SHA256: 66686e15bef414a5197b680cef3b0de342d18f36f9c5a001b483a9098000c4c1
3820
dw20.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiec.tmp_a5a744e1607a93228a319079fd532d7d2deecef_cab_0efb1388\WER12FD.tmp.mdmp
––
MD5:  ––
SHA256:  ––
3820
dw20.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiec.tmp_a5a744e1607a93228a319079fd532d7d2deecef_cab_0efb1388\WER3E9.tmp.hdmp
––
MD5:  ––
SHA256:  ––
3820
dw20.exe
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_msiec.tmp_a5a744e1607a93228a319079fd532d7d2deecef_cab_0efb1388\WER3E8.tmp.WERInternalMetadata.xml
xml
MD5: 70cbf9dfa3b90bcb205d1ca63037021f
SHA256: 2bd8daf377bd8f8c91f61dd385c1f5f94f66873617dd332eaada709f7e8e19b5
3820
dw20.exe
C:\Users\admin\AppData\Local\Temp\WER12FD.tmp.mdmp
––
MD5:  ––
SHA256:  ––
3820
dw20.exe
C:\Users\admin\AppData\Local\Temp\WER3E9.tmp.hdmp
––
MD5:  ––
SHA256:  ––
2204
vssvc.exe
C:
––
MD5:  ––
SHA256:  ––
3820
dw20.exe
C:\Users\admin\AppData\Local\Temp\WER3E8.tmp.WERInternalMetadata.xml
xml
MD5: 70cbf9dfa3b90bcb205d1ca63037021f
SHA256: 2bd8daf377bd8f8c91f61dd385c1f5f94f66873617dd332eaada709f7e8e19b5
2328
msiexec.exe
C:\System Volume Information\SPP\snapshot-2
binary
MD5: e43d95599a2d52883f66319ef8b4a91e
SHA256: 81b9179d4ae4876ec7a85033a98944c3792dd682ba5551ccafe51b0d1043137e
2328
msiexec.exe
C:\Windows\Installer\MSIFF15.tmp
binary
MD5: caeedbce816210ecff933472fcb4f160
SHA256: 2c93bd42244aac3422a2bf2b8f7b5ea9bd21aa28b3f41f32b768b01332887eed
2328
msiexec.exe
C:\Windows\Installer\16f60f.ipi
binary
MD5: dfc9b194ec5ebf85c396ce889482ca56
SHA256: 3e850c8af58b658949fcd20f1c5217fbcf8295a815126f99fff644c1768ac69c
2328
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF215B1C74E21DCFF6.TMP
––
MD5:  ––
SHA256:  ––
2900
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI714c0.LOG
text
MD5: ae03e3862df7d21966f748f1d58b5b29
SHA256: 1fedd972e4f15b17ef2aa62e0077a9f9173941c74a571beec699d43506d9a50d
3356
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 36bd897fc9870ad57894d9d91694292d
SHA256: f8db95c9a60822996eed30e664c91a8c686473b8a72235f50fa3d9778b0087e3
3356
DrvInst.exe
C:\Windows\INF\setupapi.dev.log
ini
MD5: 4ddf1513ae8654134a014fb200f69adb
SHA256: 06cc69dd96db1e55b24b78b056fdca9e405a175fa35fef36c844bf9a4bcf6941
3356
DrvInst.exe
C:\Windows\INF\setupapi.ev1
binary
MD5: ef5ea2a884dfedc2acd89b817898a6e3
SHA256: 7b208b617f65f2f1c72d319df669adcbf763e9961cdf53ceba99955aebb55b41
3356
DrvInst.exe
C:\Windows\INF\setupapi.ev3
binary
MD5: 8f761032829fb6121aee77e26dc667a6
SHA256: f83e1592023b7c8f6c15847f26d30770c0a52e6c7304dba951eea437e2737649
2328
msiexec.exe
C:\System Volume Information\SPP\metadata-2
––
MD5:  ––
SHA256:  ––
2328
msiexec.exe
C:\System Volume Information\SPP\OnlineMetadataCache\{edefb5b3-e6f8-4179-a5fd-9c11fddc7a5c}_OnDiskSnapshotProp
binary
MD5: e43d95599a2d52883f66319ef8b4a91e
SHA256: 81b9179d4ae4876ec7a85033a98944c3792dd682ba5551ccafe51b0d1043137e
2328
msiexec.exe
C:\Windows\Installer\16f60f.ipi
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.